Upload
kathlyn-daniel
View
235
Download
2
Tags:
Embed Size (px)
Citation preview
Understanding Microsoft Forefront Online Protection for ExchangeNathan Winters
Microsoft Corporation
EXL201
Agenda
FOPE Overview?Setup and ConfigurationAdministrationPolicies and ConnectorsMail RoutingQuestions
FOPE
Overview
Ed
ge B
lock
ing
End User Quarantine
AdministratorConsole
Corporate Network
MessagingAdministrator
Employees
Inbound FilteredEmail
About 90% ofEmail is junk
Outbound Filtered Email
External Senders/ Recipients
Exchange Server
Anti-spam
Antivirus
Policy
Automatic Spooling
* Encryption
* Requires additional Exchange Hosted Encryption License
Active Directory
FOPE Directory Synchronization Tool
LegitimateEmail
Junk Email
Forefront Online Protection for ExchangeMulti-layer spam and malware protection with flexible policy enforcement
Where can FOPE be deployed?
• Every Office 365 customer is a FOPE customerOffice 365
• Protects any on-premises & hosted email implementationStandalone
• Integrates FPE/FOPE policies across on-premises & cloud environments
Hybrid Scenarios
Rapid Email Delivery
Average delivery commitment
of less than 1 minute
Network Uptime> 99.999%
100%
Known VirusProtection
> 98%
SpamDetection
< 1:250,000
False Positive Ratio
Network Performance
Spam & Malware Filtering
These are part of the Exchange Online SLA & FOPE SLA
FOPE SLA only
FOPE Service Level Agreements
User Inbox
User Junk Email Folder
Administrator Quarantine
Connection Filtering1
Content Filtering3
Sender-Recipient Filtering2
Blocks up to 80% of all spam based on IP block/allow lists.
Blocks up to 5% of all spam based on internal lists and heuristics.
Blocks up to 15% of all spam based on internal lists and sender reputation.
Multi-Layered Anti-Spam Protection
Connection Filtering
Sender-Recipient Filtering
Content Filtering
Filtering based on connection, sender, recipient and content for best results
SPAM Protection
Safe senders
FOPE Inbound Filtering
SpamPrevention
If server down, E-mail queued for up
to 5 days
E-mail enters the global data center network – MX
(mail.messaging.microsoft.com)
DirectoryServices
SPAM prevention
IP Reputation based Filtering
Reputation database
Mail addressed to non existent users if rejected
Mail form IP Spammers are blocked
Look up e-mail filtering settings for domain
Virus Scanning
Engine 1
Engine 2
Engine 3
Policy Enforcement
Custom Policy Rules
Attachment and message attribute management
Custom Spam Filter management
Rules Based Scoring
Fingerprint Engines
Content and Policy Quarantine
SPAM Quarantine
SPAMSPAM
SPAM
E-mail server available?
Delivered in a flow-controlled fashion when server is
available
Queue
Mailbox
Store
SPAMSPAM
SMTP Reject: 5xx
Spam Analysts
Customer Feedback
False +ve / -ve
Sync
SEWR
FOPE Outbound Filtering
Look up e-mail filtering settings for domain
Virus Scanning
Engine 1
Engine 2
Engine 3
Policy Enforcement
Custom Policy Rules
Attachment and message attribute management
SPAM Protection
Custom Spam Filter management
Rules Based Scoring
Fingerprint Engine
Content and Policy Quarantine
Mail Server
High Risk Delivery Pool
High Spam Score
Outbound Pool
Low Spam Score
Safe senders
FOPE
http://www.microsoft.com/exchange/en-us/forefront-online-protection-for-exchange.aspx
Setup and Configuration
FOPE Setup and Provisioning
Step Required? 1. First Time Log on to the FOPE Administration Center
Yes
2. Validate and Enable Domains Yes. For Office 365 users, consult your Office 365 documentation instead of this topic.
3. Add Other Domains If DesiredRequired only if your company uses multiple domains with FOPE. For Office 365 users, consult your Office 365 documentation instead of this topic.
4. Set up Inbound Email Filtering:1. Update your MX record2. Restrict incoming traffic to FOPE3. Set Up Email Deferral Notifications
1.Yes2.Yes3.Optional but highly recommended.
5. Set up Outbound Email Filtering Required only if you are using FOPE to filter outbound email.
6. Verify the FOPE Setup Optional but highly recommended.
Best Practices for Configuring FOPE
Directory SynchronizationSetup SPF Records
"v=spf1 include:spf.messaging.microsoft.com ip4:127.0.0.3 -all"
Network Connection Settings (SMTP config)SecuritySetup Routing with Virtual DomainsAllow users to report false positives
demo
NameTitleGroup
Administration
ReportingAccess reporting data from your FOPE serviceCreate, edit, and delete reports in the My Reports tabReport on all or some of your domains4 Available Reports:
Email Traffic ReportTop Viruses ReportDeferral ReportTop Users Report
Information is returned in graphs and tablesEnable scheduled report delivery: emails the report on a one time, weekly, or monthly basis
Quarantine, Reporting, Trending & DR numbers
Message Trace is past 30 daysDeferral, Policy, Virus Detail data for 90 daysUser Traffic for 14 weeks15 days of quarantine by defaultData held in queue for 5 days
FOPE
Managing Junk Mail
Junk Mail Management
Three additional configurations can be done in FOPE:
Spam Redirection – enables viewing all spam from one placeX-Header – deliver mail normally but add X-Header to mailSubject Modification – Change
Direct access to Junk Mail folder
Block/allow senders directly within message
Manage safe/block sender lists directly in Outlook or Outlook Web App
Default approach: users manage junk mail in Outlook/OWA Junk Mail Management in Exchange Online
Junk Mail Management (cont.)Flexibility to use FOPE Spam Quarantine
Junk Email Reporting Tool
The Junk Email Reporting Tool add-in provides a single click spam reporting directly back to MicrosoftAllows end users to report “False Negatives Submissions” which are spam messages not caught by the FOPE filtersSends email to [email protected] which is monitored by the FOPE Spam Team for analysis
FOPE
Connectors and Policies
Outbound Connector (controls email sent from your domain)
Inbound Connector (controls email sent to your domain)
Connection Security Filtering
Source IPSource Domain
Reject non Source IP
Opportunistic TLS Forced TLS SpamConnection Policy
Connection Security Delivery
Opportunistic TLS Forced TLS Smart host MXDestination domain
FOPE Connector Architecture
Policy EnforcementScope
Apply the policy to one or all domains
Apply to Inbound or Outbound messages
Match
Words and phrases in the subject and body
Message size
Attachment types
Number of recipients
Sender and recipient addresses and domains
IP address or domain name
Regular Expression
Take Action
Reject message
Allow message
Quarantine message for review
Redirect message to an alternate recipient
Deliver message with BCC
Force TLS
Encrypt message (requires EHE)
Test
…
Indicate when a rule is to expire, if at all
Create text or HTML e-mail disclaimers or footers
Add a description
Notify sender, recipient, or administrator
Create or Edit a Policy RuleBasic syntax: uses comma-separated values mixed with string-wildcard syntaxBasic syntax examples:
appl* matches appl1234, apple, application, etc.appl? matches appl1, apple, apply, etc.
RegEx syntax: specify more complex expressions that match patterns of text, numbers, or special charactersRegEx syntax examples:
^abc matches abc1234 but not 1234abcabc$ matches 1234abc but not abc1234ab.c matches ab1c, abxc, abyc, etc.\d\d\d\d\s\d\d\d\d\s\d\d\d\d\s\d\d\d\d matches a credit card
FiltersAdd and manage “Dictionaries” for multiple policy rulesDictionaries are large lists of valuesDictionaries can contain
IP addressesDomainsEmail addressesKeywordsFile names and extensions
Dictionaries must be .txt or .csvBasic syntaxMaximum size per dictionary: 2 MB or 9,000 characters
Encryption via policy rules & enforced in the FOPE cloud; based on Voltage SecureMail technologyIdentity-Based Encryption (IBE) uses email address as ID for public keyNo cost for recipient non-licensed userAll replies and forwards remain encrypted for any mail recipientEncrypted emails are not saved by EHE
Exchange Hosted EncryptionSend encrypted mail to anyone; no prior setup by / for external recipients
Use FOPE Admin Center for these tasks
• Track messages outside your organization• Perform transport-related tasks not available in
transport rules:• Specific header attributes• Custom dictionaries, character sets• Actions such as quarantine or encrypt
• Configure org-wide safe/blocked senders• Configure granular antispam settings
(e.g. backscatter, SPF)• View reports on spam/virus filtering• Configure forced TLS
• Track messages within your organization• Set up transport rules to:
• Add disclaimers to e-mails• Look for keywords and regular expressions in
attachments• Block e-mail sent to the outside world (by
sender, domain, etc)• Moderate e-mail delivery
• Configure journaling of e-mails to external archive
Use Exchange Admin Tools for these tasks
When to use Admin Center vs. the Exchange Admin Tools
FOPE
Mail Routing Basics
Mailboxes
BUSINESS PARTNER
FOPE
Edge
Policy
Spam
woodgrovebank.com
contoso.com
TLS can be forced for inbound & or outbound connectionsFOPE attempts to set up a TLS connectionIf TLS cannot be established, email is not sent/received
Mailboxes
Outbound Connector
Inbound Connector
• Maintain secure and trusted communication channel with partners
• Avoid email interception/ eavesdropping
Secure Messaging with TLS
Virus*
Opportunistic TLS is on by default for Office 365 customers
(no action is required to enable it)
Inbound Forced TLS option can be used to secure end-to-end communication
ON-PREM / HOSTED
*Virus scanning is performed by FPE for O365 tenants
Setting the TLS configuration on Connectors
FOPE
Edge
Policy
Spam
From: [email protected]: [email protected]
Contoso.mail.onmicrosoft.com
DLP appliance or service
FOPE routes outbound email to smart host for custom mail process or delivery
INTERNET
Mailboxes
Outbound Connector
Value Proposition• Use data leakage protection (DLP) or
encryption appliances from third parties• Perform custom processing or address rewrite• Maintain “total mail control” during
coexistence (inbound and outbound mail is all routed through on-prem server
Outbound Smart Hosting
contoso.com
Virus*
EXCHANGE ONLINE / ON PREM
*Virus scanning is performed by FPE for O365 tenants
ON PREMISES / HOSTED JOURNAL
Choosing mail routing settings in Hybrid setup
FOPE
Edge
Policy
From: [email protected]: [email protected]
contoso.com
fabrikam.com
Inbound mail is filtered by FOPEFOPE IP filtering is skipped for trusted domainsOptionally, skip policy and spam filtering Mailboxes
Mailboxes
SAFE-LISTED PARTNER
Inbound Connector
Value Proposition• Reduce the chance of false positives
(legitimate email from trusted partner being flagged as spam)
Inbound Safe Listing
Virus*
Spam
*Virus scanning is performed by FPE for O365 tenants
EXCHANGE ONLINE / ON PREM
Setting the safe listing configuration on Connectors
FOPE
Mail Routing for O365 Hybrid
Mail Routing During Migration to O365 Two options for mail routing
MX record pointed to the cloud
MX record pointed on-premises
Why? Least disruptive option for most customers. Recommended in our documentation for Exchange Online coexistence (Simple and Rich)Mail forwarders are auto-configured when a mailbox is moved to the cloud using our tools
Why? Customers can stop doing Anti Spam or Mail server blacklist management themselves and reduce dependence on local mail serverHow?
FOPE passes all email to Exchange OnlineUser objects route mail to on-prem users
Note: FOPE subscriptions are required for on-premises users
Mailboxes
ON-PREMISES
Customer Mail Processing/Filtering
EXCHANGE ONLINE
Mailboxes
FOPE
Edge
Policy
Spam
INTERNET
Shared Address Space (On-Premises Relay MX Points to On-Prem) - Inbound
MX points to on premises for initial filteringCustom filtering, archival etc. done on-premisesCloud mail is re-directed to FOPE where it is filteredDelivered to Exchange Online
InboundFrom: [email protected]: [email protected]
contoso.com
Outbound Exchange Send ConnectorInbound FOPE Connector
Virus*
*Virus scanning is performed by FPE for O365 tenants Contoso.mail.onmicrosoft.com
Mailboxes
ON-PREMISES
Customer Mail Processing/Filtering
EXCHANGE ONLINE
Mailboxes
FOPE
Edge
Policy
Spam
INTERNET
Shared Address Space (On-Premises Relay MX Points to On-Prem) - Outbound
Hosted mailbox sends mail outboundVirus scanning is performed by FPE for Exchange Online mailboxesFiltered by FOPE Delivered to on-premisesCustom processing on-premisesDelivery by on-premises
OutboundFrom: [email protected]: [email protected]
contoso.com
Outbound FOPE Connector Inbound Exchange Receive Connector
Virus*
Contoso.mail.onmicrosoft.com
EXCHANGE ONLINE
Mailboxes
FOPE
Edge
Virus
Policy
Spam
Mailboxes
ON-PREMISES
Customer Mail Processing/Filtering
Shared Address Space Cross Premises Mailflow – Intra Org
It is an internal mailCustom processing on-premisesDelivery to FOPE Filtering skippedDelivery to Exchange Online by FOPE
Intra OrgFrom: [email protected]: [email protected] contoso.com
Outbound Exchange Send Connector
Inbound FOPE Connector
Contoso.mail.onmicrosoft.com
Mailboxes
ON-PREMISES
Customer Mail Processing/Filtering
EXCHANGE ONLINE
Mailboxes
FOPEEdge
Policy
Spam
INTERNET
MX points to FOPE for spam processing, filtering, and scanningMail is routed to Exchange Online, and if mailbox does not exist in the Exchange Online, mail is routed back to FOPEFOPE forwards mail to On-Premise Exchange
InboundFrom: [email protected]: [email protected] contoso.com
Outbound FOPE Connector
Inbound Exchange Receive Connector
Virus*
Shared Address Space with FOPE Relay (MX Points to FOPE O365) – Inbound*Migration to FOPE / Office 365
Contoso.mail.onmicrosoft.com
Mailboxes
ON-PREMISES
Customer Mail Processing/Filtering
EXCHANGE ONLINE
Mailboxes
FOPE
Edge
Policy
Spam
INTERNET
Shared Address Space with FOPE Relay (MX Points to FOPE O365) – Outbound*Migration to FOPE / Office 365
Scanning by Forefront Protection for Exchange on Microsoft Exchange Online mail hubsDelivery to FOPE for scanningFOPE delivers to destinationMail from On premises routed directlyMail from On premises could be routed via FOPE after support call to setup connectors.
OutboundFrom: [email protected]: [email protected]
contoso.com
`Exchange Send Connector
Virus*
Inbound FOPE Connector
Contoso.mail.onmicrosoft.com
ResourcesAdmin Center: https://admin.messaging.microsoft.com Administrators Guide: http://go.microsoft.com/fwlink/?LinkId=135918 RSS Subscription Feed: http://rss.messaging.microsoft.com FOPE Escalation path and Support SLO: http://go.microsoft.com/fwlink/?LinkId=183846 Get Help Customer Escalations: http://gethelp/Default.aspx Spam submission guide: http://technet.microsoft.com/en-us/library/ff715038.aspx Junk mail reporting tool: http://go.microsoft.com/fwlink/?LinkID=214016 FOPE Setup and Provisioning: http://technet.microsoft.com/en-us/library/ff715252.aspx FOPE Service Description: http://www.microsoft.com/download/en/details.aspx?id=26126 FOPE Support Service Description: http://www.microsoft.com/download/en/details.aspx?id=26803
Related Content
EXL301 – Archiving in the Cloud with Exchange Online Archiving (EOA)
EXL303 – Configuring Hybrid Exchange the Easy Way
Today – EXL307 – Using a Load balancer in your Exchange 2010 environment
Geek Out with Perry Blog: http://blogs.technet.com/b/perryclarke/
Track Resources
Exchange Team Blog: http://blogs.technet.com/b/exchange/
Exchange TechNet Tech Center: http://technet.microsoft.com/exchange
MEC Website and Registration: http://www.mecisback.com/
Resources
Connect. Share. Discuss.
http://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Evaluations
http://europe.msteched.com/sessions
Submit your evals online
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.