Howto:Microsoft Office 365 Recommended Product Testreport: Difference between revisions

From innovaphone wiki
Jump to navigation Jump to search
Line 254: Line 254:


====Connector with Self-Signed Certificate====
====Connector with Self-Signed Certificate====
Go to the connector menu and create a new connector and give a name to it and status ON.
[[Image:exchange_online_connector_1_en.png]]
Then define the "Use of connector" by inserting the fax server mail domain configured at Faxserver (could be a subdomain).
[[Image:exchange_online_connector_2_en.png]]
Define the external IP address or FQDN of the Linux AP which can be reached from internet. If this is behind a NAT router do a port-forwarding of port 25 for SMTP.
[[Image:exchange_online_connector_3_en.png]]
Define the Security restrictions to always use TLS and accept any digital certificate, including self-signed certificates. It will ask you to validate and fail but you click OK to save it anyway.
[[Image:exchange_online_connector_4_en.png]]
Finally go to "Accepted domains" menu and set your fax server subdomain to be an InternalRelay.
[[Image:connector_5_targetaddress_eng.png]]
Now you can go back to Connector and validate again for a successful test.


===Log File===
===Log File===

Revision as of 16:30, 6 July 2022

General Information

  • Product name: Office 365
  • Vendor: Microsoft
  • innovaphone Firmware: v10 sr11

The objective of this article it's to test the Office 365 Solution together with Innovaphone Applications like innovaphone Exchange Calender Connector, innovaphone FaxServer and myPBX Office Integration.

How to configure this applications together with Office 365 and if there is any limitations.

Current test state

Testing of this product has been finalized.

Configured Scenario

Important Components and Requirements

  • Office 365 Small Business Premium Plan.
  • Office 365 System Requirements can be found -> Here
  • innovaphone myPBX Launcher
  • innovaphone PBX v10
  • innovaphone Exchange Connector Application

myPBX Office Integration

Installation & Configuration of the vendor Software

In order to have myPBX Office Integration it's required to install the Office Applications.

The Office Applications are only available for some specific Office 365 Subscription Plans you could find a comparison table for the business plans here.

To install the office applications the user just login into the portal.office.com and click on the shortcut Download Software and be able to download the full package. Microsoft Install Office Guide.


Installation & Configuration of the innovaphone components

First install the myPBX launcher at the Windows PC and define the myPBX UC Client as Office Presence Provider like explained at Concept myPBX Office2010 Integration.

The system Name of the PBX should be equal to the office 365 Domain Name and also we should enable the flag "Use as Domain".

Office365 Howto Setup 1.png

The "Name" field at the PBX User Object should match also with the Office 365 User so the Email address can be identical.

Example: Office 365 User with email rba@innovaphoneAG.onmicrosoft.com should match with User Object with name field equal to "rba".


Test Results

Tested feature Result
Presence Updates at Microsoft Desktop App Contact Info. OK
Instant Messaging started from Desktop Microsoft App. OK
Start calls from Microsoft Desktop App. OK
Presence Updates at Microsoft Web App Contact Info. NOK


innovaphone Exchange Calender Connector

Installation & Configuration of the vendor Software

In order to be able Exchange Calender Connector connect to the Exchange Online EWS we need first to find what is the Exchange Online Server Address. The URL of Exchange Online Web Service is a URL like "https://" + "Server name" + "/EWS/Exchange.amsx", for example, "https://pod51024.outlook.com/ews/exchange.amsx" where the value that should be used for Server field at Exchange Connector is pod51024.outlook.com.

How to find the Exchange Server address you could find some indications Office365 Community Answers.

Also similar to what it's done with Local Exchange Installations it's required that each User change their permissions for vieweing Free/Busy Information at Outlook Calender Options.

With Office365 we could only find this option using the Outlook Desktop App and not the Outlook Web App, description how to find this option could be find at Concept Exchange Calender Connector Article


Note: Microsoft have alternative method to connect to EWS to a single/fixed domain (to simplify the process). The new fixed address is : outlook.office365.com this can be configured as Server on the Exchange Calender Connector Application as long the DNS it's correctly working.

Installation & Configuration of the innovaphone components

NTML Authentication it's not supported by Office 365 Exchange Online Server, so it's necessary to use basic Authentication method to connect to Exchange Online EWS.

This feature was introduced with innovaphone Exchange Connector v10sr11 like described here.

The Exchange Calender Connector configuration it's similar to any other, we need to use the Server Address we found previous for the Exchange Online Server and additional we need to set Linux NAT IP/Port so Office 365 Exchange Online can reach the Exchange Calender Connector Application from the Internet through NAT Port Forwarding.

Office365 Howto Setup 2.png

Test Results

In this case they are not many different tests to perform. The innovaphone Exchange Connector Application connects successfully to the Exchange Online Server and retrieves the calender entries from it and updates the Presence at Innovaphone PBX.

Office365 Howto Setup 3.png


innovaphone FaxServer

Use of Innovaphone FaxServer with Office 365 Exchange Online is possible however it is unsafe as Faxes can be sent by attackers on the customers expense (by faking a proper From: address and sending from a Office 365 Cloud service).


If you are OK with this point, then you can follow the instructions below. With this configuration faxserver can receive mails from Outlook 365 (Exchange Online) but it is still unsafe as any Office 365 User can send to the innovaphone Faxserver. Internally we check if the sender address is a valid mail address and has a fax licence. Otherwise the mail will be rejected.

In order to use the innovaphone fax server with Office 365 (Exchange Online), it requires a few adjustments on both sides. The connector of Office 365 (Exchange Online) can not authenticate with username and password. If you want to enter the IP addresses of Office 365 (Exchange Online) in the Authorized Hosts list you have to specify several networks. On the web interface, it is only possible to specify individual addresses. So you have to enter the networks on the Linux AP in /etc/postfix/main.cf. Disadvantage here is if Microsoft changes the IP addresses you always must be examined which IP addresses are currently valid and these must be adapted.

Another way is to authenticate with TLS (the certificates of the smtp client and server). We will talk about that in the following.


Which data do we need in advance?

  • The issuer's Root CA (GlobalSign Root CA) as a pem file. Details can be found on this website.
  • A separate certificate on the Linux AP on which the fax server is running.
  • The MD5 fingerprint of the Exchange Online client certificate
  • SSH access to the Linux AP e.g. with Putty and WinSCP (Root Login in the wiki article)

Root CA (Baltimore CyberTrust Root) for the Office 365

Get the Root CA (GlobalSign Root CA) for the Office 365. You can get this on this website as PEM file.
Save them on the Linux AP.
/home/root/ssl_cert/ms-mail-ca.pem

Read the fingerprint and date of the client certificate from Exchange Online on the Linux AP

Get the certificate:

openssl s_client -connect ucclab-info.mail.protection.outlook.com:25 -starttls smtp
(ucclab.info = ucclab-info.mail.protection.outlook.com)
Save the certificate part from the answer to a new file on the Linux AP. For example /etc/postfix/cert/mail.protection.outlook.com.pem

----- BEGIN CERTIFICATE -----
...
----- END CERTIFICATE -----

Read Fingerprint MD5:

Save the key because we need it at a later point.

$ openssl x509 -noout -fingerprint -md5 -inform pem -in mail.protection.outlook.com.pem
MD5 Fingerprint = 4F:90:9E:EE:29:EB:AB:E5:E2:9A:D5:5E:8C:08:C3:10

Read the validity of the certificate:

To know when the certificate expires, we read out the expiration date of the certificate.

$ openssl x509 -noout -dates -in mail.protection.outlook.com.pem
notBefore=Feb 24 18:33:10 2020 GMT
notAfter=Feb 24 18:33:10 2022 GMT

Customize Postfix Configuration on the Linux AP

Customize configuration file main.cf from Postfix:

With Putty or WinSCP on the Linux AP under /etc/postfix/main.cf the following adjustments have to be made:

smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_security_level = may
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_always_send_ehlo = yes
smtp_tls_CAfile = /home/root/ssl_cert/ms-mail-ca.pem 

relay_clientcerts = hash:/etc/postfix/relay_clientcerts

smtpd_tls_ask_ccert = yes
smtpd_tls_security_level = may
smtpd_tls_CAfile = /home/root/ssl_cert/ms-mail-ca.pem
smtpd_tls_cert_file = /home/root/ssl_cert/server.crt
smtpd_tls_key_file = /home/root/ssl_cert/server.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject

Create/adjust new file for MD5 fingerprint data:

With Putty or WinSCP a new file is created on the Linux AP under /etc/postfix/relay_clientcerts with the stored MD5 fingerprint.

4F:90:9E:EE:29:EB:AB:E5:E2:9A:D5:5E:8C:08:C3:10 mail.protection.outlook.com

With Putty this created file must be converted to a db on the Linux AP:
postmap /etc/postfix/relay_clientcerts

Finally with Putty postfix has to be restarted to activate the changes:
service postfix restart

The Linux AP must be reachable from the internet. For this we need a port forwarding (TCP 25) from internet to faxserver.

Create Relay Host on the Linux AP

On the web interface of the Linux AP, a relay host for Office 365 (Exchange Online) must be created. Under Administration - Relay Hosts -> Add relay host you can enter the destination and the authorization of the Exchange 365 (Exchange Online). A user from Office 365 is required for authorization. Sender Email/Domain uses the domain of Office 365.

Faxserver Relay-Host.png

Office 365 Connector

On the Office 365 (Exchange Online) page we need a connector to forward our fax domain to the Linux AP. To do this, a new connector must be created in the Exchange Admin Center under Message Flow Connectors (+).


Connector with CA Trusted Certificate

Connector overview eng.png


Give the connector a usefull name.

Connector 1 name eng.png


Use the fax domain as rule for this connector.

Connector 2 domain eng.png


Use the external IP address or the FQDN of the Linux AP which can be reached from internet.

Connector 3 target eng.png


Also check the certificate of the Linux AP (CN of the certificate).

Connector 4 TLS eng.png


A valid destination mail address is required to check the connector. A valid destination mail address is like 206@fax.ucclab.info (206 = number to call to, @fax.ucclab.info = faxdomain for the environment).

Connector 5 targetaddress eng.png


Finally, the connector is checked for connectivity and mail delivery, and the result should look like this.

Connector 6 final eng.png

Connector with Self-Signed Certificate

Go to the connector menu and create a new connector and give a name to it and status ON.

Exchange online connector 1 en.png

Then define the "Use of connector" by inserting the fax server mail domain configured at Faxserver (could be a subdomain).

Exchange online connector 2 en.png

Define the external IP address or FQDN of the Linux AP which can be reached from internet. If this is behind a NAT router do a port-forwarding of port 25 for SMTP.

Exchange online connector 3 en.png

Define the Security restrictions to always use TLS and accept any digital certificate, including self-signed certificates. It will ask you to validate and fail but you click OK to save it anyway.

Exchange online connector 4 en.png

Finally go to "Accepted domains" menu and set your fax server subdomain to be an InternalRelay.

Connector 5 targetaddress eng.png

Now you can go back to Connector and validate again for a successful test.

Log File

In the log we can see if the mails are received and sent successfully.
With Putty on the Linux AP:
tail -n0 -F /var/log/mail.log
Or on the web interface of the Linux AP:
Diagnostics - Logs - Mail - View

The log must then contain "Trusted TLS connection established" at the connection.

For incoming mails:

Trusted TLS connection established from host.outbound.protection.outlook.com [213.199.154.0]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)

For outgoing mails:

Trusted TLS connection established to ucclab-info.mail.protection.outlook.com[213.199.154.42]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)


Office 365 Lync Online

  • Integration with the Office 365 Lync Online and Innovaphone PBX was not tested.
  • The Lync Online solution only allow SIP Trunking with selected VoIP Carriers by Microsoft for PSTN connectivity and don't have any option to setup an own PSTN Gateway.
  • Lync Online allows Federation with Skype and Lync 2013 Server on premises as explained at technet page through Edge Server. There is no current implementation of SIP Federation between Innovaphone PBX and Edge Server from Microsoft Lync.

Known Issues

Related Articles