Howto:Microsoft Office 365 Recommended Product Testreport: Difference between revisions
(...) |
|||
| Line 124: | Line 124: | ||
==innovaphone FaxServer== | ==innovaphone FaxServer== | ||
Use of Innovaphone FaxServer with Office 365 Exchange Online is possible however ''it is unsafe'' as Faxes can be sent by attackers on the customers expense ( | Use of Innovaphone FaxServer with Office 365 Exchange Online is possible however ''it is unsafe'' as Faxes can be sent by attackers on the customers expense (by faking a proper <code>From:</code> address and sending from a Office 365 Cloud service). | ||
<!-- | <!-- | ||
If you are OK with this | If you are OK with this point, then you can follow the instructions below. With this configuration faxserver can receive mails from Outlook 365 (Exchange Online) but it is still unsafe as any Office 365 User can send to the innovaphone Faxserver. Internally we check if the sender address is a valid mail address and has a fax licence. Otherwise the mail will be rejected. | ||
In order to use the innovaphone fax server with Office 365, it requires a few adjustments on both sides. | In order to use the innovaphone fax server with Office 365 (Exchange Online), it requires a few adjustments on both sides. | ||
The connector of Office 365 (Exchange Online) can not authenticate with username and password. | The connector of Office 365 (Exchange Online) can not authenticate with username and password. | ||
If you want to enter the [https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx IP addresses] of Office 365 (Exchange Online) in the Authorized Hosts list you have to specify several networks. On the web interface, it is only possible to specify individual addresses. So you have to enter the networks on the Linux AP in /etc/postfix/main.cf. | If you want to enter the [https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx IP addresses] of Office 365 (Exchange Online) in the Authorized Hosts list you have to specify several networks. On the web interface, it is only possible to specify individual addresses. So you have to enter the networks on the Linux AP in /etc/postfix/main.cf. | ||
Disadvantage here is | Disadvantage here is if Microsoft changes the IP addresses you always must be examined which IP addresses are currently valid and these must be adapted. | ||
Another way is to authenticate with TLS (the certificates of the smtp client and server). We will talk about that in the following. | |||
Which data do we need in advance? | Which data do we need in advance? | ||
| Line 139: | Line 141: | ||
* A separate certificate on the [[Reference10:Concept_Linux_Application_Platform#Certificates | Linux AP]] on which the fax server is running. | * A separate certificate on the [[Reference10:Concept_Linux_Application_Platform#Certificates | Linux AP]] on which the fax server is running. | ||
* The MD5 fingerprint of the Exchange Online client certificate | * The MD5 fingerprint of the Exchange Online client certificate | ||
* SSH access to the Linux AP e.g. with Putty and WinSCP (Root Login in the | * SSH access to the Linux AP e.g. with Putty and WinSCP (Root Login in the [[Reference10:Concept_Linux_Application_Platform | wiki article]]) | ||
===Root CA (Baltimore CyberTrust Root) for the Office 365=== | ===Root CA (Baltimore CyberTrust Root) for the Office 365=== | ||
Get the Root CA (Baltimore CyberTrust Root) for the Office 365 | Get the Root CA (Baltimore CyberTrust Root) for the Office 365. | ||
You can get this on [https://ssl-tools.net/subjects/c12f4576ed1559ecb05dba89bf9d8078e523d413#d4de20d05e this website] as PEM file. <br> | |||
Save them on the Linux AP. <br> | |||
<code>/home/root/ssl_cert/ms-mail-ca.pem</code> | <code>/home/root/ssl_cert/ms-mail-ca.pem</code> | ||
| Line 150: | Line 155: | ||
<code>openssl s_client -connect ucclab-info.mail.protection.outlook.com:25 -starttls smtp</code><br> | <code>openssl s_client -connect ucclab-info.mail.protection.outlook.com:25 -starttls smtp</code><br> | ||
(ucclab.info = ucclab-info.mail.protection.outlook.com)<br> | (ucclab.info = ucclab-info.mail.protection.outlook.com)<br> | ||
Save the certificate part from the answer to a new file on the Linux AP. | |||
For example <code>/etc/postfix/cert/mail.protection.outlook.com.pem</code> | For example <code>/etc/postfix/cert/mail.protection.outlook.com.pem</code> | ||
<code>----- BEGIN CERTIFICATE -----<br> | <code>----- BEGIN CERTIFICATE -----<br> | ||
| Line 157: | Line 162: | ||
====Read Fingerprint MD5:==== | ====Read Fingerprint MD5:==== | ||
Save the key because we need it at a later point.<br> | |||
<code>openssl x509 -noout -fingerprint -md5 -inform pem -in mail.protection.outlook.com.pem</code> | <code>openssl x509 -noout -fingerprint -md5 -inform pem -in mail.protection.outlook.com.pem</code> | ||
<code>MD5 Fingerprint = 6E: 3E: EC: 2A: 9F: 48: 0B: F7: 89: 00: 9A: 37: E4: 2D: 50: C5</code> | <code>MD5 Fingerprint = 6E: 3E: EC: 2A: 9F: 48: 0B: F7: 89: 00: 9A: 37: E4: 2D: 50: C5</code> | ||
| Line 199: | Line 204: | ||
Finally with Putty postfix has to be restarted to activate the changes:<br> | Finally with Putty postfix has to be restarted to activate the changes:<br> | ||
<code>service postfix restart</code> | <code>service postfix restart</code> | ||
The Linux AP must be reachable from the internet. For this we need a port forwarding (TCP 25) from internet to faxserver. | |||
| Line 210: | Line 217: | ||
===Office 365 Connector=== | ===Office 365 Connector=== | ||
On the Office 365 Online page we need a connector to forward our fax domain to the Linux AP | On the Office 365 (Exchange Online) page we need a connector to forward our fax domain to the Linux AP. | ||
To do this, a new connector must be created in the Exchange Admin Center under Message Flow Connectors (+). | To do this, a new connector must be created in the Exchange Admin Center under Message Flow Connectors (+). | ||
| Line 231: | Line 238: | ||
[[Image:connector_4_TLS_eng.png]] | [[Image:connector_4_TLS_eng.png]] | ||
A valid destination mail address is required to check the connector. ( | A valid destination mail address is required to check the connector. A valid destination mail address is like <code>206@fax.ucclab.info</code> (206 = number to call to, @fax.ucclab.info = faxdomain for the environment) | ||
[[Image:connector_5_targetaddress_eng.png]] | [[Image:connector_5_targetaddress_eng.png]] | ||
| Line 264: | Line 271: | ||
* Outbound Mail Connector to inno Linux AP with the "subdomain" of the FaxServer instance. | * Outbound Mail Connector to inno Linux AP with the "subdomain" of the FaxServer instance. | ||
* Public IP address and rule on the NAT router that forwards the port 25 to the Innovaphone Linux AP machine. | * Public IP address and rule on the NAT router that forwards the port 25 to the Innovaphone Linux AP machine. | ||
Revision as of 12:42, 6 April 2018
General Information
- Product name: Office 365
- Vendor: Microsoft
- innovaphone Firmware: v10 sr11
The objective of this article it's to test the Office 365 Solution together with Innovaphone Applications like innovaphone Exchange Calender Connector, innovaphone FaxServer and myPBX Office Integration.
How to configure this applications together with Office 365 and if there is any limitations.
Current test state
Testing of this product has been finalized.
Configured Scenario
Important Components and Requirements
- Office 365 Small Business Premium Plan.
- Office 365 System Requirements can be found -> Here
- innovaphone myPBX Launcher
- innovaphone PBX v10
- innovaphone Exchange Connector Application
myPBX Office Integration
Installation & Configuration of the vendor Software
In order to have myPBX Office Integration it's required to install the Office Applications.
The Office Applications are only available for some specific Office 365 Subscription Plans you could find a comparison table for the business plans here.
To install the office applications the user just login into the portal.office.com and click on the shortcut Download Software and be able to download the full package. Microsoft Install Office Guide.
Installation & Configuration of the innovaphone components
First install the myPBX launcher at the Windows PC and define the myPBX UC Client as Office Presence Provider like explained at Concept myPBX Office2010 Integration.
The system Name of the PBX should be equal to the office 365 Domain Name and also we should enable the flag "Use as Domain".
The "Name" field at the PBX User Object should match also with the Office 365 User so the Email address can be identical.
Example: Office 365 User with email rba@innovaphoneAG.onmicrosoft.com should match with User Object with name field equal to "rba".
Test Results
| Tested feature | Result |
|---|---|
| Presence Updates at Microsoft Desktop App Contact Info. | OK |
| Instant Messaging started from Desktop Microsoft App. | OK |
| Start calls from Microsoft Desktop App. | OK |
| Presence Updates at Microsoft Web App Contact Info. | NOK |
innovaphone Exchange Calender Connector
Installation & Configuration of the vendor Software
In order to be able Exchange Calender Connector connect to the Exchange Online EWS we need first to find what is the Exchange Online Server Address. The URL of Exchange Online Web Service is a URL like "https://" + "Server name" + "/EWS/Exchange.amsx", for example, "https://pod51024.outlook.com/ews/exchange.amsx" where the value that should be used for Server field at Exchange Connector is pod51024.outlook.com.
How to find the Exchange Server address you could find some indications Office365 Community Answers.
Also similar to what it's done with Local Exchange Installations it's required that each User change their permissions for vieweing Free/Busy Information at Outlook Calender Options.
With Office365 we could only find this option using the Outlook Desktop App and not the Outlook Web App, description how to find this option could be find at Concept Exchange Calender Connector Article
Note: Microsoft have alternative method to connect to EWS to a single/fixed domain (to simplify the process). The new fixed address is : outlook.office365.com this can be configured as Server on the Exchange Calender Connector Application as long the DNS it's correctly working.
Installation & Configuration of the innovaphone components
NTML Authentication it's not supported by Office 365 Exchange Online Server, so it's necessary to use basic Authentication method to connect to Exchange Online EWS.
This feature was introduced with innovaphone Exchange Connector v10sr11 like described here.
The Exchange Calender Connector configuration it's similar to any other, we need to use the Server Address we found previous for the Exchange Online Server and additional we need to set Linux NAT IP/Port so Office 365 Exchange Online can reach the Exchange Calender Connector Application from the Internet through NAT Port Forwarding.
Test Results
In this case they are not many different tests to perform. The innovaphone Exchange Connector Application connects successfully to the Exchange Online Server and retrieves the calender entries from it and updates the Presence at Innovaphone PBX.
innovaphone FaxServer
Use of Innovaphone FaxServer with Office 365 Exchange Online is possible however it is unsafe as Faxes can be sent by attackers on the customers expense (by faking a proper From: address and sending from a Office 365 Cloud service).
Office 365 Lync Online
- Integration with the Office 365 Lync Online and Innovaphone PBX was not tested.
- The Lync Online solution only allow SIP Trunking with selected VoIP Carriers by Microsoft for PSTN connectivity and don't have any option to setup an own PSTN Gateway.
- Lync Online allows Federation with Skype and Lync 2013 Server on premises as explained at technet page through Edge Server. There is no current implementation of SIP Federation between Innovaphone PBX and Edge Server from Microsoft Lync.