2. Protezione delle mail
Full featured SMTP hygiene
Exchange Edge Transport for SMTP stack
Requires valid license
Integrated with Microsoft® Forefront™ Protection 2010 for
Exchange Server
Antimalware
Antispam
Antiphishing
Also supports generic SMTP mail servers
3. Vantaggi di una e-mail policy con Forefront TMG
Protection on the edge saving processing resources, bandwidth, and
storage
Integrated management—When you create an e-mail policy using
Forefront TMG, you configure the settings in the Forefront TMG
Management console, and then Forefront TMG applies your
configuration to Exchange Edge and FPES
Extended management—Forefront TMG allows you to deploy multiple
servers in an array, and manage those servers from a single interface.
This is true for the e-mail protection feature, which is a benefit not
available to other Exchange and FPES deployments
Native support for Network Load Balancing (NLB)—Using NLB and a
virtual IP address, you can deploy more Forefront TMG servers at a
single point of entry, thereby processing more mail traffic
4. Funzionalità
Protection at the edge
Protects mail at the edge of the organization with Forefront
Protection 2010 for Exchange Server
Advanced protection and premium antispam
Multiple scan engines to protect against malware and provide a
premium antispam solution
Integrated management
Easy management of Microsoft Exchange Server Edge role and
Forefront Protection 2010 for Exchange Server through Forefront
TMG
Array deployment
Support for managing and load balancing traffic among multiple
servers
5. Forefront Protection for Exchange e Mail Flow
FPE effettua le verifiche a livello
edge a applica uno «stample»
Ricezione mail
da client
esterno
Passaggio da Edge a Hub attraverso il firewall
Ulteriore verifica delle regole
Applicazione
regole firewall
Se è presente FPE sull’hub, si attiva Verifica stample AV e
solo in mancanza di uno stample anti-malware
6. Forefront Protection e Ruoli Exchange
FPE can be implemented on a single role machine or on a machine that includes three roles
The configuration options that FPE allows you to implement will vary according to the
role for which it was implemented
FPE does not support installations on a CAS-only role because there is no workload to
protect
NOTE If you have configuration file to anyou can install and configure FPE on a single
To export the multiple Exchange servers, .xml file
Export-FseSettings -path c:ConfigSettingsExport.xml
Exchange server and later export and import the configuration settings to your other
Exchange servers. However, you must install FPE on each separate server before you can
To export all extended options
mport the configuration settings
Get-FseExtendedOption -name * >> c:ConfigSettingsExtended.txt
8. Forefront Protection Processing Decision
The source analysis performs various tests, such as
determining whether the source IP is allowed or if it
belongs to a block list
In the protocol analysis, another set of tests , such as a
test to determine whether the sender is listed as allowed
or blocked, is performed
Next, the content analysis will determine whether there is
any anomaly on the email body that matches any
configured policies
The user also has a direct influence on the message’s
acceptance, based on the local rules created in Outlook
11. Le componenti
Microsoft Products
Forefront Protection 2010 for
Exchange Server
Microsoft® Exchange Server® 2007
(or 2010) Edge Transport
Forefront Threat Management
Gateway
Windows Server® 2008 x64
11
12. Funzionalità
Feature Exchange FPE 2010 Filter
Edge Role
IP Allow / Block Lists Connection
Filter
IP Allow / Block List Providers (FF
(custom) DNSBL)
Sender / Recipient Filtering, Sender Protocol
ID Filter
Sender Reputation Content
Filter
Basic Content Filtering (SmartScreen)
Premium Antispam (Cloudmark)
File Filtering
Message Body Filtering
Antivirus TMG Antispyware Subject Line, Sender-Domain, or Allowed Senders in FPE
Forefront and cannot manage
14. Installazione
In each member of the Forefront TMG array:
Install Active Directory® Lightweight Directory Services (AD LDS)
Install Exchange Server 2007 SP1 (or 2010) Edge Transport role
Install Forefront Protection 2010 for Exchange Server
Install Forefront Threat Management Gateway 2010
14
15. Dettaglio : Installazione Edge Transport Server
• Install the prerequisite software : open Scripts directory on the installation
media and enter the following command
ServerManagerCmd.exe –InputPath Exchange-Edge.XML
• Install the Edge Transport Server
• Configure the EdgeSync Service : open an Exchange Management Shell and
enter the following command
New-EdgeSubscription –FileName C:Edge-TMG.XML
• Copy the Edge-TMG.XML file to the internal Hub Transport Server and import
it there : open an Exchange Management Shell and enter the following
commands:
$Temp = Get-Content -Path "C:Edge-TMG.xml" -Encoding Byte -ReadCount 0
New-EdgeSubscription -FileData $Temp -Site "Default-First-Site"
Start-EdgeSynchronization
15
16. Dettaglio : Installazione Forefront Protection for Exchange
Choosing to Enable Antispam now will
disable Exchange’s content
filtering agent, if it is currently enabled.
Uninstalling FPE will not re-enable Exchange’s
content filtering agent; re-enabling the
filtering agent must be done manually
16
17. Configurazione
Run e-mail policy wizard
Configure SMTP routes
Configure spam filtering
Configure virus and content filtering
Enable and configure EdgeSync
17
18. E-Mail Policy Wizard
Impostare il server interno e i domini per
cui si è autoritativi
lmost every options are configured for
you without additional configuration , all
but content filtering do not go below 6
in content filtering or most the emails
will blocked
20. Creazione di SMTP Routes
Defines how Forefront TMG routes traffic from and to the
organization SMTP servers
At least two routes required:
Internal_Mail_Servers define the IP addresses and SMTP domains of
the internal mail servers
External_Mail_Servers define which mail is allowed to enter the
organization and the external FQDN/IP address that will receive mail
Each SMTP route has an e-mail listener which responds to mail
requests from permitted IP addresses and networks.
21. Creazione di route
Anti-virus Engines
Forefront Security for Exchange (FSE)
Multi-layer Filters
Multi-layer Filters
Exchange Edge Role
Receive Connector Send Connector
Network Inspection System (NIS)
TMG Filter Driver
External Network Internal Network
``
22. Spam Filtering
The anti-spam solution on FPE is composed of four major
detection pillars:
Source
Protocol
Content
Client analysis
To configure these options, under the Antispam option,
click Configure.
You can run the Windows PowerShell command Set-
FseSpamFiltering -enabled $true on the Forefront
Management Shell to enable the Antispam feature. This
process requires you to restart the Microsoft Exchange
Transport service. Another way to enable the Antispam
feature is by clicking Enable Antispam Filtering
23. Configurazione di Spam Filtering
Defines spam filtering policy
Connection-level filtering
IP Allow List
IP Allow List Providers
IP Block List
Block List Providers
Protocol-level filtering
Configuring Recipient Filtering
Configuring Sender Filtering
Configuring Sender ID
Configuring Sender Reputation
Content-level filtering
25. Spam Filtering - IP Allow List
The IP Allow List allows you to
add one or more IP addresses
that are considered trusted and
should always be allowed to
send e-mail .
You can use this option for
example in a scenario where you
have partners that you want to
categorize them as source trust
of e-mails and therefore allow
them to send e-mail without
passing through the normal
SMTP filters .
This feature is enabled by
default on the Spam Filtering tab
26. Spam Filtering - Ip Allow List Providers
You can use the IP Allow List
Providers dialog box to
maintain a list of IP addresses
that are known to not be
associated with any type of
spam activity
The IP Allow List Providers
feature is also referred to as
safe list services
This feature is enabled by
default on the Spam Filtering
tab,
27. Spam Filtering - Ip Block List
In contrast with the IP Allow
List, the IP Block List allows
you to add one or more IP
that should never be allowed
to establish an SMTP
connection with TMG
You want to block this IP
during the connect phase (the
initial attempt to establish the
SMTP connection)
28. Spam Filtering - Ip Block List provider
You have the capability to add the providers that are known
(or suspected) to send spam
This option is enabled by default and you can change the
status in the Status drop-down box
30. Spam Filtering - Recipient Filtering
In the Recipient Filtering dialog box, you can specify a list of
e-mail addresses or a distribution list that would like to
receive e-mails from outside your organization
It is very common within an organization to have some
distribution lists that are used regularly and those you
might want to prevent receiving e-mail from Internet .
31. Spam Filtering - Sender Filtering
If you learn of a specific e-mail address that is sending lots
of spam to your organization and you want to block that
source e-mail address from sending messages, you can use
the Sender Filtering feature
1. Click the Block Senders tab and notice that by default there
is already a filter to block
2. Click Add, and then add the e-mail address
3. Click OK . Click Add again and then specify the domain
that you want to block
4. 5. Click the Action tab to specify the action to be taken
when a message contains one of the senders specified in
the Block Senders list
32. Spam Filtering - Sender ID
The Sender ID feature works by verifying that the source of
the message is the organization it claims to be . Sender ID
checks the IP address of the sending server against a
registered list of servers that the domain owner has
authorized to send e-mail .
34. Spam Filtering - Content-level Filtering
Delete Messages That Exchange Edge Transport Server (installed on the TMG computer) accepts and then deletes the
Have A SCL Rating message
Greater Than Or Equal
To The message is
deleted and the
sending server is not Because the sending server understands that the message was accepted, the sending server
notified of the doesn’t retry sending the message in the same session
message deletion
Reject Messages That
This option rejects the message by sending one of several SMTP negative responses to the
Have A SCL Rating
sending server
Greater Than Or Equal
To
Quarantine Messages
When using this option you need to specify a mailbox to hold the quarantined e-mail . You
That Have A SCL
must have the mailbox account already created prior to configuring this option . In other
Rating Greater Than Or
words, this option does not create a mailbox for quarantine—it can only use an existing
Equal To
mailbox The numbers that are configured besides each of those option have a range from 0 to
9, where 9 indicates that the e-mail is very likely to be spam and 0 indicates that the e-mail is
least likely to be spam . Notice that by default all options are dimmed, but if you select any of
those check boxes the option will be enabled . For this example leave all these settings at their
default values and click OK to close the dialog box
35. Virus and Content Filtering
Configures antivirus, file attachment, and message body
filtering
Virus filter – Engine selection policy and remediation actions
File filters – Unwanted file attachments based on file type,
filename, and prefix
Message body filters – Identify unwanted e-mail messages by
applying keyword lists to the contents of the message body
37. Virus and Content Filtering - Configuration
On the Engines tab you can select up to five engines that will be used for transport scanning
(inbound and outbound messages
You can also select how the engines will be used to scan the messages by selecting one of the
following options:
Always Scan With All Selected Engines Using this option Forefront Protection 2010 for
Exchange Server queues messages for scanning if any of the selected engines becomes
busy, such as during signature updates or heavy e-mail traffic times .
Scan With The Subset Of Selected Engines Which Are Available This option scans using all
selected engines . Scans alternate between engines when one of the selected engines is
busy .
Scan With A Dynamically Chosen Subset Of Selected Engines Using this option Forefront
Protection 2010 for Exchange Server heuristically chooses from the selected engines, based
on recent results and statistical projections
Scan With Only One Of The Selected Engines Using this option only one of the selected
engines listed in this dialog box is used to scan any single object
Note When selecting multiple engines it is important to consider performance and
sizing of the server. CpU utilization can increase 20 to 40 percent depending on bias
and engines.