Today Curious Greg is going to Houston to visit the Johnson Space Center. Before he leaves he wanted to share the final configuration pieces to the hybrid lab. When we last left the lab we configured our virtual directories. Today we will start with address policy. From the on-premises hybrid server open the Exchange Management Console and navigate to Organization Configuration > Hub Transport. Edit the default email address policy. On the E-mail addresses page select Add to enter the email address for your service-routing namespace. In my case service.edustl.com.

On the SMTP Email Address dialog select the Email address local part check box and select use alias. Also select the accepted domain for the email address and browse to service.edustl.com.

Apply the email address policy immediately.

Enable Outlook Anywhere.

This should be done already and I won’t cover in this blog. To enable check out this.

Configure autodiscover DNS records.

I used an A record for autodiscover.edustl.com and CNAME for autodiscover.service.edustl.com. Since my domain is a split-brain DNS I also configured my internal records.

Configure Federation Gateway

Ensure you have a delegated domain namespace. In my case I named mine exchangefederation.edustl.com.

New-Federationtrust or use EMC. Ensure you use domainproof to get proof for TXT records for both domain and service domain. In my case both edustl.com and service.edustl.com

Once created then you must configure the federation trust. If you don’t get the Application Identifier than your domain proof is probably misconfigured.

Organization Configuration

Next tab over to organization configuration and create new organization relationship. I used the shell but this can be configured in the EMC. Again all this is configured on the hybrid server.

Below I show screenshots of the properties of the org relationship. First one is the free/busy information access I give the cloud tenant.

Second is the external organization properties.

Lots of conflicting information here. I only needed edustl.com and service.edustl.com. Originally I thought I would need the service tenant (*onmicrosoft.com). This is not needed and caused issues with free/busy. I’ve also seen the app URI as both http://outlook.com and outlook.com. It worked for me with just outlook.com. Ensure you have WSSecurity at the end of the autdiscover endpoint. Also – if you recreated the virtual directory ensure to add WSSecurity. Also don’t forget the TargetSharingEpr which corresponds to the POD that you see when you remote powershell into your cloud tenant.

The organization relationship must also be configured on the cloud side. I launched powershell and configured the same information.

Set-OrganizationRelationship -Identity "To Cloud" -DomainNames "service.edustl.com","edustl.com" -MailTipsAccessEnabled $True -MailTipsAccessLevel All -DeliveryReportEnabled $True

Set-OrganizationRelationship -Identity "To On-premises" -DomainNames "exchangefederation.edustl.com","edustl.com" -MailTipsAccessEnabled $True -MailTipsAccessLevel All -DeliveryReportEnabled $True

Mailflow

Send and Receive Connectors with on-premises hybrid Server.

Set-SendConnector or EMC. Specify the FQDN for the connector such as mail.edustl.com. Set the Address space for the service domain. *.service.edustl.com. Use DNS and the source server is the hybrid server.

Configure the Receive Connector.

Ensure that the IP addresses you select are from the FOPE configuration. Also ensure you state the subnet mask.

Remote Domain

Next you setup the remote domains on the on-premises server. Inbound and outbound remote domains. My inbound is edustl.com and outbound is service.edustl.com.

Using the Deployment assistant setup the remote domains:

New-ReceiveConnector -Name "From Cloud" -Usage Internet -RemoteIPRanges <FOPE Outbound IP Addresses> -Bindings 0.0.0.0:25 -FQDN mail2.contoso.com -TlsDomainCapabilities mail.messaging.microsoft.com:AcceptOorgProtocol (remember to get IP addresses from FOPE procedure outlined in deployment assistant).

When last command was setup ran into problem with duplicate domain on FOPE. It appears in domains as duplicatedomain-xxxxxxxxxxxxxxxxxxxxxxx(GUID).edustl.com.

If you use ECP and go to Mail control > Domains and Protection. Change from shared to hosted and back to shared. The error clears.

The last thing to configure is the FOPE configuration. You’ll need both inbound and outbound connectors.

From there you are all set! The last thing to do is to configure MX records based on how you want incoming mail. Use both the deployment assistant and your external DNS provider to configure this.

My service.edustl.com was setup to match service-edustl-com.mail.eo.outlook.com in the hosted namespace. My MX record for on-premises was setup for mail.edustl.com.

I’d tell you more but it appears I got in the capsule during a launch and will not be on earth in a few more seconds. Say goodbye to Curious Greg. Take care.

If you are new to PowerShell or the Office 365 specific tenant cmdlets in PowerShell, here is a nice tool called the PowerShell Command Builder. It allows you to visually build your Office 365 tenant PowerShell scripts.  It doesn’t have Exchange Online PowerShell but is a great start to learning tenant scripts.

Pick “Office 365” from the Products list to show you all the Office 365 tenant “verbs” and “nouns”

To build a script, just drag your “Verb” and drag a “Noun” over to the design surface and it will autogenerate a PowerShell script for you which you can quickly copy.

It even allows you to put in your actual domains to leverage in your script.

Visit the PowerShell Command Builder tool here.

To learn more on how to actually use these scripts with Office 365 via remote PowerShell visit my other post here.

If you are an Exchange Online or Outlook Live tenant administrator, then you can access the Forefront Online Protection for Exchange (FOPE) Administration Center via a hyperlink in the Exchange Control Panel. And with a few additional steps, you can login directly to the FOPE Admin Center.

Accessing the FOPE Admin Center from the Exchange Control Panel

1. Sign in to the Exchange Control Panel as an Administrator
2. Click Mail Control (left side) then click the hyperlink underneath Forefront Online Protection for Exchange (right side), e.g. “Configure IP safelisting, perimeter message tracing, and e-mail policies.”

After about 30 minutes of inactivity, the FOPE Admin Center will timeout.

When you click the “Configure IP safelisting, perimeter message tracing, and e-mail policies” hyperlink in the Exchange Control Panel, you may receive the an error saying, “We are sorry but your session has expired.” 

So, how do you login again to the FOPE Admin Center?

You could sign out of the Exchange Control Panel and sign in again. Then, click Mail Control and click “Configure IP safelisting, perimeter message tracing, and e-mail policies.” But, you may need to close all of your browser windows.

If you have as many open browser windows and tabs as I do, then this could become a major interruption. “Should I save this tab or that tab? What’s the password for the firewall’s web GUI? Should I save a Draft in OWA or send this email before closing all the browser windows?”

I’ve gone on too long…you get the idea.

Instead, why not sign in directly to the FOPE Admin Center? You can stay logged in to the Exchange Control Panel, leave open your browser windows and tabs, and simply sign in again with your user name and password.

Sign in directly to the FOPE Admin Center for the first time

1. Browse to https://admin.messaging.microsoft.com/
2. On the “Sign in” page, click the “Need your password?” link
3. Enter your Administrator’s User Principal Name (UPN) or Windows Live ID, e.g. admin@fabrikam.onmicrosoft.com (Office 365) or admin@live.contoso.edu (Live@edu), and click Send
4. Login to your Administrator’s Inbox, open the Password Change Confirmation email and follow the link in the body of the message
5. On the “Set your new password” page, enter User Name, New Password and Confirm new Password
6. Go to https://admin.messaging.microsoft.com/ and login with User Name and new Password 

Steps 1 and 2	Step 3

Step 4

Step 5	Step 6

Forefront Online Protection for Exchange – Administration Center

At this point, you can go directly to the FOPE Administration Center at https://admin.messaging.microsoft.com/

…

So, how do you pronounce FOPE?

In my previous article, How do YOU pronounce FOPE? An Introduction, I discussed some of the key features of Forefront Online Protection for Exchange (FOPE) and invited you to explore additional resources:

• TechNet Edge – FOPE
• TechNet Library – Forefront Online Protection for Exchange
• FOPE 11.1 Administration Center User Guide
• Spam Filtering and Message Hygiene

And, hopefully, you’ve had an opportunity to sign in to the FOPE Administration Center via the hyperlink in the Exchange Control Panel or by entering your user name and password at https://admin.messaging.microsoft.com/.

Okay, I didn’t spell it out. The truth is that there isn’t a right or wrong answer.

Please leave a comment to tell us how YOU pronounce FOPE. There’s bonus points for using the International Phonetic Alphabet (IPA) or Pronunciation Respelling Key!

______________________________

Thanks for joining us today!

Zion Brewer

______________________________

Oxford Computer Group has scheduled a webinar that will touch on the Identity Management issues that need to be addressed for cloud services, including Live@edu and Office365.

Friday, November 11th, 2012, 11:00 a.m. Pacific Time. Duration 30 minutes.

Registration Link: http://www.oxfordcomputergroup.com/news/events/webinar-cloud-services-prep-for-edu-providers-278.php

Webinar Description:  Cloud Services Prep for EDU Providers

This 30 minute webinar is intended for education providers who have been considering Cloud solutions, such as Microsoft Live@edu and Office 365. In education, managing the entire lifecycle of a digital identity can be challenging. We will show how Microsoft Forefront Identity Manager 2010 is being used to automate the administrative tasks associated with identity management. We'll also discuss the perennial problem of password management for students, showing an innovative solution that provides self-service password management in the Cloud. We will provide an overview of Identity Management in Microsoft Live@edu and Office 365:

• How to reduce the cost
• How to prepare for Cloud services
• How to provision and deprovision accounts
• How to manage passwords and user access.

In partnership with Microsoft and complementary technology partners, Oxford Computer Group (OCG) is again hosting the European Summit for Microsoft Identity and Access. This year the theme is "Managing Identity and Access on-premise and in the Cloud" with a focus on Microsoft Forefront Identity Manager (FIM) 2010, complementary technologies, including access and authorization with AD FS 2.0.

There are only 3 weeks to go until this year's European Identity and Access Summit. With many exciting and informative sessions, don't miss the chance to attend this vital two-day Summit, FREE of charge!

See the Agenda and Register Here

You can:

• Ask an expert in one of our limited one-to-one identity surgeries? Request a Surgery Slot
• Draw on our experience upgrading platforms to FIM 2010 in - Implementing FIM 2010 at a Brownfield site
• Forget the hype and see technology in action in - Journey to the Cloud. "Are we there yet?"
• Experience a full agenda of Microsoft identity and Security and its free - Full 2 day Agenda

Ask an Expert Identity and Access Surgeries         

Enjoy one-to-one advice from an identity and access expert? Throughout the Summit we are providing FREE identity and access surgeries. Put your questions and scenarios to our industry experts. Bring along your thorny issues, or specific challenges. Request a Surgery Slot

Attendee Feedback

“Even though this event has grown significantly over recent years, it has retained its community feel and I always come away feeling informed and motivated to take on the next identity management challenge” Alistair Sandford – University of the West of England