Search Google Appliance

Home >> Nexus365 >> Nexus365: ITSS Technical Guide

Nexus365: ITSS Technical Guide

This guide will be regularly updated, based on feedback and user experiences, as the Nexus365 pilot progresses.

News update The default "Reply All" when replying to emails through OWA has been fixed so that all migrated accounts prior to 25th May 2018 have now been changed to "Reply".  Accounts migrating going forward will be updated immediately after migration (prior to 08:00hrs BST on the day) and users will not have to take any further action.

Nexus365 Technical Overview

Nexus365 is a cloud-based solution hosted by Microsoft, replacing the University’s on-premises Nexus email service and enhancing it with additional software and features. Under the Universities’ JISC agreement all email data remains in the UK. Nexus’ SharePoint service remains on-premises for reasons of security compliance and data security.

Key points in brief:

  • Oxmail is still the point at which incoming Nexus email arrives, and through which outgoing email departs
  • Microsoft’s Exchange Online Protection (‘EOP’) is currently used to improve spam detection. A separate project is under way to provide a University-managed on-site alternative (or complementary) system.
  • The Oxmail smtp.ox.ac.uk servers will remain available for special cases, which will generally only be where Microsoft’s authenticated smtp servers can’t be used.
  • All Nexus email users will have their quota increased from the current 2GB or 3GB to 50GB. There is no longer an option for paid-for quota increases beyond that, however archive mailboxes can be made available if 50GB is likely to be exceeded.
  • The current 30-day paid-for restoration of email content will no longer be available. Content can be restored after deletion by the user themselves for 90 days and for a further 30 days by the Nexus Team.
  • Nexus365 will also provide 5TB of OneDrive storage space. Nexus users will receive this in addition to (and separate from) any OneDrive personal storage they already have, even if the same email address is used for both.
  • Skype-for-Business services are included in Nexus365, but only for Skype-to-Skype calling. Chargeable calls should be made via Chorus.                    

General Support Documentation

N.B.: Guides here may include guidance on applications and features that have not been enabled in Nexus365. Please refer to the FAQs for details of what is enabled in Nexus 365.

Microsoft's guidance:
Getting started in Outlook Web App
5 minute videos covering some of the basics of O365.

Setting up Microsoft Outlook (Windows, Mac, and Mobile)

Microsoft Outlook users who have left the program running during migration, or who access other people's mailboxes who have been migrated, will receive a message telling them that 'an administrator has made a change which requires you to restart Outlook'. To avoid this message, and related support issues, we advise telling your users to close Outlook completely overnight when migrations are taking place.

Some Android users using built-in email clients will be asked to grant permissions in order to access Nexus365 email. One in particular, the ability to remotely erase a device's data without warning by performing a factory data reset, - see below - which could cause some concern.

 

This feature is intended for users to self-manage the erasing of a lost or stolen device only, as detailed in wipe a mobile device in Office365.  The other permissions relate to corporate security policy settings which can be applied. The Nexus Team do not, and never have, imposed any policy restrictions on mobile device users, regardless of the application's request for the capability.  If there were calls to change this policy a wide-ranging and thorough consultation would be instigated beforehand.
If you have users who are, nonetheless, unwilling to grant the permissions, email can still be retrieved by setting up as an IMAP4 client.

 

Autodiscover

Outlook 2016 now requires AutoDiscover to be present and correctly configured in DNS or it will be unable to connect to Nexus365. Outlook 2016 retrieves connectivity settings directly from AutoDiscover instead of from the registry. This makes profiles more reliable but makes AutoDiscover a required feature.

There has been confusion in the past with autodiscover, with some units using workarounds of users' @nexus.ox.ac.uk addresses. Whilst this may have got you by with on-premises Nexus it will no longer work for Nexus365.

Older versions of Outlook could be made to work with tweaked local settings but the requirement for correct AutoDiscover settings  for the college/department's domain are now essential. Outlook will fail to connect to 365 (initially it will 'fail to make an encrypted connection' then try other protocols before eventually failing after attempting an ActiveSync connection).

POP3 / IMAP4

Configuring to use POP3/IMAP4.
Microsoft Office 2016 for Mac: Quick Start Guides

Adding an on-premises shared mailbox to an already-migrated account can be configured with the username format <yourSSO>@OX.AC.UK\<shared mailbox's SSO> (e.g. demo1234@OX.AC.UK\shar1234). 
When the shared mailbox is migrated this will of course need to be reconfigured again but is useful as an interim solution.

Future trends and developments can be found at:
https://products.office.com/en-us/business/office-365-roadmap?filters

Lynda.com training:
Accessed via the IT help pages for an Office 365 tools overview.

Technical Data

Supported Protocols

The following methods of access are supported:

  • ActiveSync
  • HTTPS
  • EWS (server: outlook.office365.com/EWS/Exchange.asmx)
  • IMAP4 (server: outlook.office365.com; port: 993; encryption: TLS)
  • POP3 (Not recommended but supported. server: outlook.office365.com; port: 995; encryption: TLS)
  • SMTP (server: outlook.office365.com; port: 587; encryption: STARTTLS)

The SMTP.ox service will still continue and can be used to send outgoing University email. However the recommendation for SMTP email client configuration is to use Microsoft’s SMTP server (outlook.office365.com), rather than smtp.ox.ac.uk.

This is for the following reasons:

  • To avoid a slower (and more convoluted) route for internal Nexus-to-Nexus email traffic.
  • Easier support from the vendor, by complying with their expected configuration setup.
  • A lower likelihood of internal messages being incorrectly identified as spam
  • Both Microsoft’s SMTP server and Oxmails’ smtp.ox.ac.uk offer comparable secure TLS authentication.

Microsoft offer further guidance notes for protocols and IP ranges here

Unsupported Protocols

  • MAPI (used by unsupported versions of Microsoft Outlook)
  • CalDAV (calendar access)
  • CardDAV (address book access)

FireFox

Firefox do not support the Skype for Business plugin in OWA.

Firefox does not support Skype in OWA

Microsoft Answers give the following guidance https://answers.microsoft.com/en-us/msoffice/forum/msoffice_sfb-mso_win10/firefox-52-will-no-longer-support-the-skype-for/79df8d0f-4e28-4f6e-88c5-d13fc46f9221

OneDrive

It is recommended that local ITSS provide OneDrive for Business policies for their own Units.

There is no official Microsoft OneDrive client for Linux although unofficial third party programs exist.
Advice for Linux clients, and for users on managed desktops where the OneDrive client cannot be installed, is to use a browser to access their OneDrive files at https://onedrive.live.com

Users can share their OneDrive files directly with other users via the context menu and 'Share'. A link will be created to the file, accessible only to the named users and with only the access permissions the user has selected.
There are two Windows OneDrive clients, one for personal use (white cloud icon) and one for business use (blue cloud icon). Both can use the same University email address.

IT Services cannot prevent a Nexus365 user from getting OneDrive for Business.

Duplicate emails appearing in shared mailbox sent items folders

As we get more requests to enable the MessageCopyForSentAsEnabled and MessageCopyForSendOnBehalfEnabled attributes in Nexus365 shared mailboxes, we are seeing instances where there are duplicates of sent emails in shared mailbox sent items folders.  This is due to a previous recommendation to add the DelegateSentItemsStyle Registry key for sent items redirection. As this is a local computer side change it is impossible to manage.  With the move to Nexus365 we now have the above attribute which is managed server side and places a copy of the sent email on both the shared and delegates sent items folder. This cannot be modified to only place in the shared sent items folder. The problem is caused when both the Registry key and the server attribute have been set for redirection.

The resolution is to go into Regedit (HKEY_CURRENT_USER\Software\Microsoft\Office\x.0\Outlook\Preferences) and change the DelegateSentItemsStyle value to 0, which disables it.  Restart Outlook and it will now only place one copy in each sent items folder.  Please see for reference: https://support.microsoft.com/en-us/help/2843677/messages-sent-from-a-shared-mailbox-aren-t-saved-to-the-sent-items-fol

Distribution Lists

As with on-premises Nexus your users appear in a number of system-generated groups. These are designed for use in SharePoint/Exchange for authorisation. These do not appear in the Global Address List.

You can make personal distribution lists in your mailbox, as now. System level lists will be considered where appropriate, especially for use as security groups. For mass mailing purposes, you are strongly encouraged to use the Maillist Service , also run by IT Services. The Maillist Service can include external users, provides an easy interface to add and remove subscribers, and can allow sophisticated configuration of the behaviour of the mailing list (e.g. moderation, automated joining etc.).

Meeting Rooms and Shared Bookable Resources

There is a limitation within OWA on how many meeting rooms can be displayed at one time. To mitigate against this we have introduced room groupings – you can select from a location, which will then show only the rooms at that site.
If you have previously had meeting room resources created for you and have not provided all of their information, such as capacity, please let us know and we can update the GAL to include that data.

Global Address List

The Global Address List which Nexus displays is populated by data retrieved from other University systems. It is those which are authoritative for that information, such as the card database, registrations databases, CUD, and telecoms data. Changes made to those databases are periodically synchronised to Nexus via automated scheduled tasks. Errors and omissions should therefore be corrected at the source database: if we were to make changes within Nexus they would be overwritten by the next synchronisation from the authoritative source.

A user’s postal address is usually entered as the main address of the unit to which they have their primarily affiliation.

The company field holds your primary department/college, and the department field held a list of all your departments/colleges. This list may be truncated (indicated by "/ ..." on the end) when necessary.

Your users’ email addresses are usually based on their primary affiliation. If you wish them to use another email address that is associated with them, you should advise them to switch addresses via: https://register.it.ox.ac.uk/self/index/

Many secondary (project) accounts are set as ex-directory. The reason that project accounts were originally hidden is we had a large number of project accounts with people's personal names as their display names. There are also some whose names may not make sense in a University-wide list, "IT Office" for example. If you want your project account to appear in the address list we advise you to contact: help@it.ox.ac.uk.

For each account you needed to supply:

  • The account username
  • A sensible display name
  • The email address

Users recorded as Ex-Directory with IT Services Registration do not appear in the GAL. Also, by default accounts matching the following criteria were hidden:

  • Project accounts
  • Accounts belonging to individuals with status of pgoffer, ugoffer, leaver, cardholder and virtual
  • Accounts that have expired

Accounts can be unhidden on request.
Hidden accounts cannot easily be added to Outlook, since the address isn’t visible when the client queries the address list, but you can request the (normally not visible) X500 address from the Nexus team which will be resolvable by Outlook. Alternatively the mailbox can be unhidden until users have added it to Outlook, and then re-hidden.

Additional Mailbox Permissions

Exchange understands two levels of impersonation over another mailbox: SendAs and SendOnBehalf.

SendAs allows you to fully impersonate another account, with messages sent by you appearing to have come from the other mailbox. For better auditing we recommend you instead request SendOnBehalf permission, which still allows you to send as another account, but with it made clear that delegation is being used – the recipient sees ‘Message from Bob on behalf of Susan’.

In addition to delegated sending permissions we can also set FullAccess rights on project accounts. This makes a secondary mailbox visible and accessible to the delegated user.

Users can also delegate more granular rights themselves over their mailbox, directly from within Outlook, to other people. However that is undertaken folder-by-folder rather than to the whole mailbox at one time. It should be noted that delegated access to someone else’s mailbox does not automatically grant rights to view items the mailbox owner has marked as ‘private’. The Nexus Team do not have routine oversight of user-assigned permissions within a mailbox, or its contents. 

 The IT Services Helpdesk can assign SendAs, SendOnBehalf and FullAccess rights on request, via a support ticket.

For reasons of account security and auditing, a project account cannot be granted access to a user’s account. Authorisation, in exceptional circumstances, for such a configuration must come from:

  • The registered Department/College ITSS of the user who owns the project account
  • The owner of the project account
     
  •  Note: A "user" of a project account is not authorised to request SendAs or SendOnBehalf rights unless they own the project account.

To SendAs or SendOnBehalf you must change the From field to be 'Send From Other E-mail Address' and then select that identity from the Global Address List. If you reply to a message from the inbox of that account this field will be filled in for you (this can be used to prove the permission is working). Note that this address cannot simply be typed in. If this field has been filled in incorrectly Outlook will cache that entry: it must be explicitly deleted.

Spam processing and Junk Email

For an interim period migrated users will have spam processing undertaken via Microsoft’s Exchange Online Protection ('EOP'), in addition to Oxmail spam processing. Oxmail headers will remain for anyone who wishes to process spam via inbox rules. See the Microsoft EOP document for details.

All incoming Nexus email will still flow through Oxmail - the current process of scoring messages and modifying message headers appropriately will still remain in service for the foreseeable future. This will be reviewed when the additional email security project concludes and the device/service is in place. More information will be made available as that project proceeds.

Once users are migrated to Nexus365 Oxmail's spam-scored headers will still remain in the email but they will no longer be applied when deciding whether to send email to users' Junk folders. Nexus365 EOP applies its own spam-scoring values, although an end-user can still create their own inbox rules to use oxmail headers for spam-processing if required.  See Microsoft end-user EOP guidance.

Prior to Nexus365 migration spam processing continues to work in the current way. To modify their Oxmail spam processing settings on the self-registration web-site: https://register.it.ox.ac.uk/self/index/
Bear in mind that spam filtering must also be enabled in addition to setting your tolerance to it. First check that spam filtering tolerance has been set on your Nexus account by visiting the self-registration web-site: https://register.it.ox.ac.uk/self/index/ then login to OWA via https://nexus.ox.ac.uk/ and double check the "[Automatically filter junk e-mail]" setting in the [Options] -> Junk E-mail screen is enabled.

Neither Oxmail nor Nexus automatically discard email that passes a certain spam scoring threshold, unless it is infected with a virus or malware. However Nexus’ Junk E-mail folder will automatically delete content from the Junk E-mail folder (and ‘Deleted Items’) after 90 days. Some users are annoyed that some persistent spam, or irksome personal messages still arrive in their Junk E-mail folder. These people can be helped by either creating a rule on the Junk E-mail folder to delete certain emails immediately, or in the judicious use of Blocked Senders. See OWA Light Guide

Spam processing overview:

The current spam-filtering process is explained in detail here: http://help.it.ox.ac.uk/nexus/itss/message-flow

Process when University cards expire

When someone's University Card expires and they leave Oxford (and this notably includes "student leavers") their mailbox is usually deleted automatically three months after card expiry. Departing users can usually extend this period on request at the IT Services Help Centre.

Users can set up forwarding that works for 2 months following departure/card expiry.

N.B. OOF = Out of facility message = Out of Office = Vacation Autoreply

There are three categories of departing user:

(A) Users who have forwarding set
(B) users who have a vacation message set (OOF)
(C) users who have neither OOF nor forwarding set.

On card expiry, all 3 groups of users cease to have access to their mailboxes. For users in groups A and B, nothing else happens until the end of month 2. Users in group C have an OOF created saying, "This account is scheduled for deletion. It is unlikely that your message will be read." (Also, if a mailbox belonging to group B has its OOF expire or switch off before the end of two months, that change should be detected within hours and the standard message applied.) At the end of month 2, mailboxes are 'detached' (or 'disabled'), and the routing tables are changed so that mail will not enter Nexus from outside. After a further one month, the mailboxes are deleted. While on-premises, this data remains on tape for about 60 further days, dependent on the HFS service.

See also Finishing at Oxford

Accessing Nexus from behind a NAT device

Nexus' on-premises firewall applies a default limit to the number of connections per minute that are accepted from a single IP address. This limit can be reached when there are a large number of users behind a single Network Address (and Port) Translation device and/or by some users having a large number of connections being opened rapidly. Users may find the interface via Outlook or Outlook Web App to be very slow or intermittently problematic. They may also see "This webpage is not available" when trying to log in to OWA or SharePoint.

Note that the limit applies to usage of both on-premises Nexus email and to SharePoint. It is often end users with email applications that make multiple simultaneous connections which cause the limit to be exceeded. Once exceeded, rate-limiting can affect SharePoint as well as Exchange. After migration to Nexus365 you will still need to notify the Nexus Team of NAT devices to avoid rate-limited access to SharePoint.

If you wish to use a NAT/NAPT device in front of users who are likely to access Nexus (on-premises Exchange or SharePoint), please register this device with the Nexus Team. Send the IP address(es) and hostnames to help@it.ox.ac.uk prefixing the subject line [ITSS] with a short explanation. Please also notify if there has been a change of device and a previous exception can be removed or should be updated.

 

Written by IT Services. Latest revision 30 May 2018