Thursday 8 March 2012

Tenant Isolation in a Hosted Exchange Environment

With the removal of the /hosting edition of Exchange Server and the reintroduction and support of hosting using the /enterprise version of Exchange Server I thought it a good idea to cover some topics that help an IT Admin implement certain features for tenant isolation into the /enterprise edition of the product.

A feature a tenant may require is tenant or semi-tenant isolation. This is where the tenant cannot contact any other tenants in the Hosted Org. A customer may require total lockdown or require just a subset of users have this restriction in place.

Luckily with Transport Rules and some Powershell magic we can implement this feature. In a perfect world you will have a front end or control panel that can configure this magic for you, but if your control panel is one step behind, this is the backend steps you need to take to implement it.

Firstly you will need a Transport Rule to disallow the tenant or certain users within the tenant, to send outside of the Organization.

If you are using HMC, or have a framework that works along the lines of HMC, for example, an AllUsers and AllAdminUsers groups, then we can lock a tenant down with these security groups. If however only part of a tenant is to be isolated, then we will need to create another group, adding the required users to that group and then potentially hiding that group from the GAL so as not to mess up a nice clean address book view. So back on track..

..This is simply achieved with a transport rule like the following:

New-TransportRule -Name 'Tenant Isolation - Outside Org Test' -Comments 'Another Transport rule to block my tenant from sending outside of the org. Entirely a test.' -Conditions 'Microsoft.Exchange.MessagingPolicies.Rules.Tasks.FromMemberOfPredicate','Microsoft.Exchange.MessagingPolicies.Rules.Tasks.SentToScopePredicate' -Actions 'Microsoft.Exchange.MessagingPolicies.Rules.Tasks.DeleteMessageAction' -Enabled $true -Priority 'number'

This looks like so in the UI:

However on top of this you also need to provide a way of locking down messaging within the Org. As The Enterprise version of Exchange has no concept of 'tenant's, you need to build another Transport with an Exception.

The above rule then allows the tenant to recieve emails from the users within but stops communication to other tenants on the hosted platform.

We can then look to modify the rules further, maybe for example by modifying 'silently drop the message' to actually inform the user the message was indeed refused with a custom error.

So the above controls outbound messages, but we still need to be able to control who can send messages to the isolated tenant or the isolated users. We can again use Transport Rules, but again we would need to create two, one for inside the organization and another for outside. In this instance I prefer to perform the lock down on the user object itself, this creates less transport overhead on your messaging subsystem.

Finally, if your hosting framework cannot support message delivery restrictions then you can tie this into your tenants OU and selected users with a little powershell. This can be run as a scheduled task against the tenant as a ps script. The below is an example I have made and use but will need some modification.

#Allow users to only recieve messages from a specified DL
#Modify $NIS and $AllUsers as appropriate
#Test in Test Lab prior to running in Live
#Confirm $NIS and $AllUsers are valid targets with Get-DistributionGroup
#Replace $NIS with a 'No Internet Sending Security Group' created in Control Panel for the Tenant
#Replace $AllUsers with the HMC4.5/hosting framework AllUsers Group for the Tenant

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010Get-DistributionGroupMember $NIS set-mailbox -AcceptMessagesOnlyFromDLMembers $AllUsers

The end result is as follows:

Isolated tenant/user sending out to the internet:

Isolated tenant/user sending to another tenant in the Hosted Exchange platform:

Another tenant or external user trying to send to the isolated tenant/user:

Take Care

Oliver Moazzezi MVP - Exchange Server

No comments: