Managing corporate email infrastructure is highly capital intensive and laborious. Amazon WorkMail does all the heavy lifting on behalf of customers, to offer the highest grade of security to organizations, along with much needed flexibility. In this session, get an inside look into how Amazon WorkMail leverages other AWS services, such as AWS KMS and AWS Directory Service, and learn more about how our customers have successfully set up their highly secure email infrastructure in just a few easy steps.

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thomas Doehler – General Manager
Milo Oostergo – Sr. Product Manager
October 2015
ISM317
Amazon WorkMail
Secure, Corporate Email
in Less Than 10 Minutes

2. What to Expect from the Session
• Why we built Amazon WorkMail
• What is Amazon WorkMail?
• Features and functionality
• Pricing and availability
• Getting started with Amazon WorkMail
• Integrating with your on-premises environment
• Migrating to Amazon WorkMail
• Q&A

3. Why we built Amazon WorkMail
• Email has evolved from a simple communication tool to
an enabler of almost any business process
• Secure access is key
• Managing the infrastructure required to operate this
mission critical service adds cost and complexity

4. Managed service
• Eliminate up-front investments to license and provision on-premises email servers
• WorkMail automatically handles all of the patches, back-ups, and upgrades
• As needs grow, add more users with a few clicks in the AWS Management console

5. Enterprise grade security
Encryption using
customer managed
keys
Regional data
control
Secure mobile
access
Protection from
malware, spam, and
viruses

6. Anywhere access
From Outlook on
your PC/Mac
From any browser From your phone

7. Outlook features
• Native compatible with
Microsoft Outlook on Windows
and Mac
• Shared calendars and shared
mailboxes
• Global Address Book
• Support for resource booking
• Advanced permissions and
delegation
• Server side rules

8. WebMail features
• Access to your email,
contacts and calendar
• Shared calendars
• Free/busy Scheduling
• Amazon WorkDocs
integration

9. Pricing and availability
• Pay-as-you-go
• No user or long-term commitments
• Cost-effective - $4/user/month for 50 GB
mailbox
• Bundled with WorkDocs - $6/user/month
• 30-day free trial for up to 25 users
• Initially available in US East (N. Virginia), US
West (Oregon), and EU West (Ireland) region

10. Set up Amazon WorkMail

11. Getting started
• Available through the AWS
Management Console
• Quick setup let you get started
in 10 minutes and automatically
creates all required AWS
resources for you
• Custom setup let you integrate
WorkMail with your corporate
directory and use custom keys

12. Quick setup
Step 1: Create your organization
Step 2: Add your domains
Step 3: Create your users, groups, and resources
Step 4: Migrate your mailboxes
Step 5: Configure your desktop and mobile clients

14. Step 1 – Create your organization
• WorkMail creates all required AWS resources for you:
• VPC
• Simple AD directory
• Test mail domain
• Service default key in AWS KMS
• Recommended setup for evaluation purposes and small
business deployments

15. Step 2 - Setting up your domains
• Add your domains (like yourcorporate.com) to WorkMail
to use in your email addresses
• You can have multiple domains to your organization
• Users/groups can have multiple email addresses across
different domains

16. Setting up your domains (2)
• Add your domain
• Verify your domain by
adding a verification token
in the TXT DNS record
• Set up DomainKeys
Identified Mail (DKIM)
signing
• Switch the MX and
AutoDiscover DNS record
when mailbox migration is
complete

17. Step 3 - Provisioning of users and groups
• After domains are added, you can provision users and
distribution groups using the domains
• With quick setup, users can be created in the WorkMail
console

18. Next steps
Step 4 and step 5 are similar to custom setup and will be
discussed later in this presentation

19. Custom setup
Use custom setup to:
• Use your existing VPC
• Integrate WorkMail with your existing directory
environment
• Use a customer master key for mailbox encryption
Recommended setup for medium size businesses and
enterprises

20. Custom setup - steps
Step 1: Extend your VPC to your on-premises network and
set up an AD Connector
Step 2: Create your organization in WorkMail
Step 3: Add your domain names
Step 4: Enable your existing users and groups
Step 5: Migrate your mailboxes
Step 6: Configure your desktop and mobile clients

22. Prerequisites
• Extend your on-premises network to your VPC through a
virtual private network (VPN) connection or AWS Direct
Connect
• Have two subnets in different Availability Zones in VPC
available
• Set up AWS Directory Service AD Connector in the VPC
• No need for any additional on-premises software
components!

23. AD Connector architecture
Availability Zone
Availability Zone
VPN
connection
corporate data center
AD
LDAP &
Kerberos
requests proxied
to on-premises
over VPN
AD Connector
proxy instance
AD Connector
proxy instance

24. Using on-premises directory integration
• Easily provision existing users for WorkMail
• Reuse existing AD/Exchange security and distribution
groups in WorkMail
• Automatic propagation of users/groups changes every 4
hours
• Authentication requests are forwarded to your
on-premises directory

26. Protect your mailbox data
• Mailbox data at rest is protected by AWS Key
Management Service
• Use service default key or customer master key
• Key actions logged in AWS CloudTrail
• WorkMail configures grant to master key during initial
setup

27. How is WorkMail encrypting your data
• Master key for your
organization
• Asymmetric key per mailbox
• Each item in mailbox
encrypted by symmetric key
Item encrypted
with data key
Data key
encrypted with
public mailbox key
Mailbox private key
encrypted with
KMS key

28. Interoperability support

29. Integrate WorkMail with your existing email
environment
• Provide users with an unified global address book
containing all users, groups, and resources
• Email routing between on-premises email system and
WorkMail
• Calendar free/busy lookups between on-premises email
systems and WorkMail

30. Set up interoperability support
• Add all domains to WorkMail
• Set up free/busy service accounts in Microsoft Exchange
and WorkMail
• Set up Availability Address Space in Microsoft Exchange
Add-AvailabilityAddressSpace -ForestName
example.awsapps.com -AccessMethod OrgWideFB
-Credentials <Credential>
• Enable interoperability support in WorkMail

31. Unified Global Address Book
• Interoperability support will automatically sync all
Microsoft Exchange users, groups, and resources to
WorkMail
• Object changes must be done using Exchange
Management console
• Enabling users for WorkMail still done through AWS
Management console

32. Email routing in an integrated environment
On-premises environment Amazon WorkMail
example.com
example.com
example.awsapps.com
Forward to:
john@example.aws
apps.com
Primary: john@example.com
Alias: john@example.awsapps.com
john@example.com
targetAddress:
john@example.awsapps.com
To: john@example.com

33. Calendar free/busy interoperability
On-premises environment Amazon WorkMail
example.com
4. Free/busy lookup for Mary
with WM service account
john
1. Free/busy lookup for Mary
targetAddress:
mary@example.awsapps.com
Primary: mary@example.com
Alias: mary@example.awsapps.com
2
3
5

34. Migrating to WorkMail
• WorkMail migration tool is utility for migration of
Microsoft Exchange and Office365 mailboxes
• Integration with 3rd party migration vendors will be
available for migrations from Microsoft, Google Apps,
Lotus Notes, Novell Groupwise, Zimbra, and other email
servers

35. Using the WorkMail migration tool
• Prepare your Microsoft Exchange
environment
• Enable and configure WorkMail
migration setup
• Install and configure the migration
tool
• Prepare the migration user list
• Migrate mailboxes to WorkMail

36. Using the WorkMail migration tool (2)
• Run migration tool close on an on-premises Windows
client, Amazon EC2, or Amazon WorkSpaces
• Run migration tool close to WorkMail endpoints for
lowest latency
• When migrating large batches, run migration tool on
multiple servers or instances

37. Finalizing migration
After all mailboxes are successfully migrated:
• Create AutoDiscover DNS record
autodiscover.example.com CNAME
autodiscover.mail.us-east-1.awsapps.com
• Turn off local Autodiscover
Get-ClientAccessServer | Set-ClientAccessServer
-AutodiscoverServiceInternalURI $Null
• Change MX DNS record to WorkMail SMTP servers
• Turn off interoperability support
• Decommission on-premises email environment

38. Sign up for WorkMail preview today
• aws.amazon.com/workmail

39. Q&A
Meet us at the AWS Enterprise Applications booth

40. Remember to complete
your evaluations!

41. Thank you!