4. E-mail Threats
~98% of all e-mail is Estimated cost is $130 billion
spam/malicious in 2009
Over 400 billion unwanted Causes 90% of NDRs
e-mails in H2 2008 Risk of software vulnerabilities
Percentage of incoming messages filtered by Forefront Online Protection for
Exchange, 1H06-2H08
100%
80%
60%
40%
20%
0%
1H06 2H06
1H07 2H07 1H08
2H08 4
5. The Solution
Filter unwanted e-mail as early as possible
100%
80%
60%
40%
20%
0%
1H06 2H06
1H07
2H07
1H08
2H08
Edge Filtered Content Filtered Unfiltered
Percentage of incoming messages blocked by Forefront™ Protection for
Exchange using edge-blocking and content filtering, 1H06-2H08
5
6. Mail Protection – ISA Server 2006
Simple protocol inspection only
Checks valid commands, maximum length
External Network SMTP Filter SMTP Server
7. Mail Protection – Forefront Threat
Management Gateway
Full featured SMTP hygiene
Exchange Edge Transport for SMTP stack
Requires valid license
Integrated with Microsoft® Forefront™ Protection 2010 for
Exchange Server
Antimalware
Antispam
Antiphishing
Also supports generic SMTP mail servers
8. E-mail Protection Features
Protection at the edge
Protects mail at the edge of the organization with Forefront
Protection 2010 for Exchange Server
Advanced protection and premium antispam
Multiple scan engines to protect against malware and provide a
premium antispam solution
Integrated management
Easy management of Microsoft Exchange Server Edge role and
Forefront Protection 2010 for Exchange Server through Forefront
TMG
Array deployment
Support for managing and load balancing traffic among multiple
servers
11. Solution Components
Microsoft Products
Forefront Protection 2010 for
Exchange Server
Microsoft® Exchange Server® 2007
(or 2010) Edge Transport
Forefront Threat Management
Gateway
Windows Server® 2008 x64
11
12. Feature Ownership
Feature Exchange FPE 2010
Edge Role
IP Allow / Block Lists
IP Allow / Block List Providers (custom) (FF DNSBL)
Sender / Recipient Filtering, Sender ID
Sender Reputation
Basic Content Filtering (SmartScreen)
Premium Antispam (Cloudmark)
File Filtering
Message Body Filtering
Antivirus and Antispyware
Forefront TMG cannot manage Subject Line, Sender-Domain, or Allowed Senders in FPE
13. Mail Protection – Forefront Threat
Management Gateway
Anti-virus Engines
Forefront Security for Exchange (FSE)
Multi-layer Filters
Multi-layer Filters
Exchange Edge Role
Receive Connector Send Connector
Network Inspection System (NIS)
TMG Filter Driver
External Network Internal Network
``
14. EdgeSync Service
Exchange Server service running on Exchange Hub
Transport role
Pulls data from GC and writes to AD LDS on Forefront TMG
(TCP port 50636)
Configures:
SMTP Routes (Exchange Connectors)
Accepted Domains
Global Address List
Safe Sender Lists
14
15. Typical Deployment Topology
Any Forefront TMG
SMTP Array
Servers myorg.com
Internal SMTP
Server
SMTP Internal
Traffic Network
Internet
SMTP Traffic
Partner
EdgeSync
SMTP (Exchange Server Only)
MX pointing to Forefront
Server
TMG external IP address
15
17. SMTP Protection Installation
In each member of the Forefront TMG array:
Install Active Directory® Lightweight Directory Services (AD LDS)
Install Exchange Server 2007 SP1 (or 2010) Edge Transport role
Install Forefront Protection 2010 for Exchange Server
Install Forefront Threat Management Gateway 2010
17
18. SMTP Protection Configuration Steps
Run e-mail policy wizard
Configure SMTP routes
Configure spam filtering
Configure virus and content filtering
Enable and configure EdgeSync
18
19. Configure SMTP Routes
Defines how Forefront TMG routes traffic from and to the
organization SMTP servers
At least two routes required:
Internal_Mail_Servers define the IP addresses and SMTP domains
of the internal mail servers
External_Mail_Servers define which mail is allowed to enter the
organization and the external FQDN/IP address that will receive
mail
20. Configure Spam Filtering
Defines spam filtering policy
Connection-level filtering
IP Allow List
IP Allow List Providers
IP Block List
Block List Providers
Protocol-level filtering
Configuring Recipient Filtering
Configuring Sender Filtering
Configuring Sender ID
Configuring Sender Reputation
Content-level filtering
24. Virus and Content Filtering
Configures antivirus, file attachment, and message body
filtering
Virus filter – Engine selection policy and remediation actions
File filters – Unwanted file attachments based on file type,
filename, and prefix
Message body filters – Identify unwanted e-mail messages by
applying keyword lists to the contents of the message body
27. Replicating Configuration to Exchange Server
and FPE
FPE
Service
1. TMG UI
4. Configure services
using PowerShell API
Administrator Exchange
3. Array Edge Service
2. Store members load
to DB new
configuration
27
29. Lab 4: Secure Mail Relay
In this lab, you will:
Configure EdgeSync
Define an e-mail policy
Verify antimalware and antispam
protection
Exercises 7 and 8
Estimated Completion Time: 60 min
Microsoft Security Intelligence Report, volume 6 (www.microsoft.com/sir) reports that 98% of e-mail is spam.Microsoft Forefront Online Security for Exchange (FOSE; formerly Microsoft Exchange Hosted Services, or EHS) provides enterprise-class spam and malware filtering services for thousands of customers. This figure shows the percentage of incoming e-mail messages that FOSE has filtered as spam in every half-year period since 1H06. In 2H08, FOSE filtered 97.3 percent of all e-mail messages it received, delivering only about one out of every 40 messages to intended recipients. This figure was down from 98.4 percent in 1H08.The source for the $130 billion loss is Ferris Research (http://www.ferris.com/research-library/industry-statistics/).
FOSE performs spam filtering in two stages. The vast majority of spam is blocked by servers at the network edge, which use a number of non-content–based rules to block probable spam or other unwanted messages. Messages that are not blocked at the first stage are scanned using content-based rules, which detect and filter additional e-mail threats, including attachments containing malware. This figure shows the percentage of messages blocked at each stage in every half-year period since 1H06.
ISA Server intercepts all Simple Mail Transfer Protocol (SMTP) traffic that arrives on port 25 of the ISA Server computer. The SMTP filter accepts the traffic, inspects it, and passes it on, only if the rules allow. By default, the SMTP filter is applied to the SMTP and SMTP server protocols for incoming traffic. ISA Server supports inter-forest communication between Exchange Server computers only when the communication is over a secure channel (using TLS).Logging Blocked E-mail MessagesIf an SMTP command is blocked because it violates one of the SMTP filter's conditions, the blocked message will be logged only when you enable the SMTP filter event alert. This alert is disabled by default. Handling CommandsThe SMTP filter examines SMTP commands sent by Internet SMTP servers and clients. The filter can intercept SMTP commands and check whether they are valid and comply with the maximum length allowed in order to protect against buffer-overrun attacks. SMTP commands that violate the policy restrictions are assumed to be attacks against the SMTP server and can be stopped by the SMTP filter.Each SMTP command has a maximum length associated with it. This length represents the number of bytes allowed for each command. If an attacker sends a command that exceeds the number of bytes allowed for the command, ISA Server returns an error code to the sender and the drops the connection.When a client uses a command that is defined but disabled, the filter closes that connection. When a client uses a command that is unrecognized by the SMTP filter, no filtering is performed on that message. The Request for Comment (RFC) considers the AUTH command as part of the MAIL FROM command. For this reason, the SMTP filter blocks MAIL FROM commands only when they exceed the length of the MAIL FROM and AUTH commands issued (when AUTH is enabled). For example, if you specify maximum length of MAIL FROM as 266 bytes and AUTH as 1,024 bytes, the message will be blocked only if the MAIL FROM command exceeds 1,290 bytes.The SMTP filter does not inspect SSL-encrypted SMTP traffic. To configure ISA Server to prevent such traffic, configure SMTP filter to block START/TLS/TLS commands.
E-mail protection subscription serviceForefront TMG provides an e-mail protection subscription service, based on technology integrated from Forefront Protection 2010 for Exchange Server. Forefront TMG serves as a relay for SMTP traffic, and scans e-mail for viruses, malware, spam and content (such as executable or encrypted files) as it crosses the network.Utilizing Microsoft mail protection technologiesForefront TMG leverages the capabilities of the Exchange Edge Transport Server role and Forefront Protection 2010 for Exchange Server (FPES) to provide mail relay and anti-spam and antivirus protection. These two technologies include a variety of anti-spam and antivirus features that are designed to work cumulatively, to reduce the spam that enters and exits your organization. When deploying the e-mail protection feature in Forefront TMG, you install Exchange Edge and FPES on the Forefront TMG computer. While these products can be installed independently on separate computers, installing them on Forefront TMG and implementing the e-mail protection feature provides a number of benefits, which are described in Benefits of creating an e-mail policy with Forefront TMG (http://technet.microsoft.com/en-us/library/dd897005.aspx#benis).Layered protectionBecause spammers or malicious senders use a variety of techniques, Forefront TMG implements a layered and multifaceted approach to reducing spam and viruses. The layered approach to reducing spam refers to the configuration of several anti-spam and antivirus features that filter inbound messages in a specific order. Each feature filters for a specific characteristic or set of related characteristics on the inbound message.
Benefits of creating an e-mail policy with Forefront TMGThere are a number of advantages to implementing e-mail protection with Forefront TMG: Protection on the edge – The e-mail protection feature in Forefront TMG inspects mail traffic at the edge (the point of entry into an enterprise’s core networks), as opposed to scanning messages for viruses and other malware further along the mail flow path, thus saving processing resources, bandwidth, and storage. Integrated management – When you create an e-mail policy using Forefront TMG, you configure the settings in the Forefront TMG Management console, and then Forefront TMG applies your configuration to Exchange Edge and FPES. When using this integrated management solution, you do not need to open the management consoles of Exchange Edge or FPES (in fact, you should not open them except for troubleshooting requirements). Implementing e-mail protection consequently does not require expertise in Exchange Edge and FPES.Extended management – Forefront TMG allows you to deploy multiple servers in an array, and manage those servers from a single interface. This is true for the e-mail protection feature, which is a benefit not available to other Exchange Serverand FPES deployments. When you configure an e-mail policy with Forefront TMG, the configuration settings are stored for the entire array. Configuring e-mail policy is done once only, after which all array members receive the configuration when they synchronize with the configuration storage.Native support for Network Load Balancing (NLB) – Using NLB and a virtual IP address, you can deploy more Forefront TMG servers at a single point of entry, thereby processing more mail traffic. Similarly, by deploying multiple Forefront TMG servers, each running Exchange Edge and FPES, you can more easily maintain a highly available and protected mail delivery service for your organization.
Integrated managementWhen you create an e-mail policy using Forefront TMG, you configure the settings in the Forefront TMG Management console, and then Forefront TMG applies your configuration to Exchange Edge and FPES. When using this integrated management solution, you do not need to open the management consoles of Exchange Edge or FPES (in fact, you should not open them except for troubleshooting requirements). Implementing e-mail protection consequently does not require expertise in Exchange Edge and FPES.
Forefront TMG leverages the capabilities of the Exchange Edge Transport Server role and Forefront Protection 2010 for Exchange Server (FPES) to provide mail relay and anti-spam and antivirus protection. These two technologies include a variety of anti-spam and antivirus features that are designed to work cumulatively, to reduce the spam that enters and exits your organization. When deploying the e-mail protection feature in Forefront TMG, you install Exchange Edge and FPES on the Forefront TMG computer. While these products can be installed independently on separate computers, installing them on Forefront TMG and implementing the e-mail protection feature provides a number of benefits.
Designed to minimize the attack surface, the Edge Transport server handles all Internet-facing mail flow, and provides Simple Mail Transfer Protocol (SMTP) relay and smart host services for the Exchange Server organization. Additional layers of message protection and security are provided by a series of agents that run on the Edge Transport server, and act on messages as they are processed by the message transport components. These agents support the features that provide protection against viruses and spam, and apply transport rules to control message flow. Advantages of an Edge Subscription Creating an Edge Subscription establishes secure, automatic replication of directory and other information from the Exchange organization to the Edge Transport servers. Routing and accepted domain configuration that was controlled directly on the Edge Transport server is now configured on the Hub Transport server. Although creating an Edge Subscription is optional, subscribing an Edge Transport server to the Exchange organization enhances the available anti-spam features. You must create an Edge Subscription if you plan to use the anti-spam features, recipient lookup or safelist aggregation, or if you plan to help secure SMTP communications with partner domains, by using mutual Transport Layer Security (TLS).Background on EdgeSyncIn Exchange Server 2007, the Edge Transport server role is deployed in your organization's perimeter network. Designed to minimize the attack surface, the Edge Transport server handles all Internet-facing mail flow and provides Simple Mail Transfer Protocol (SMTP) relay and smart host services for the Exchange organization. Additional layers of message protection and security are provided by a series of agents that run on the Edge Transport server and act on messages as they are processed by the message transport components. These agents support the features that provide protection against viruses and spam and apply transport rules to control message flow.Although creating an Edge Subscription is optional, subscribing an Edge Transport server to the Exchange organization provides a simpler management experience for the administrator and enhances the available anti-spam features. You must create an Edge Subscription if you plan to use the anti-spam features, recipient lookup or safelist aggregation, or if you plan to help secure SMTP communications with partner domains by using mutual Transport Layer Security (TLS). One or more Edge Transport servers can be subscribed to a single Active Directory site. However, an Edge Transport server cannot be subscribed to more than one Active Directory site. If you have more than one Edge Transport server deployed, each server can be subscribed to a different Active Directory site. Each Edge Transport server requires an individual Edge Subscription. A subscribed Edge Transport server can support only one Exchange Server organization.The Microsoft Exchange EdgeSync service replicates the following data from Active Directory to ADAM:Send connector configurationAccepted domainsRemote domainsMessage classificationsSafe Senders listsRecipientsTLS Send and Receive Domain Secure listsInternal SMTP Servers listList of Hub Transport servers in the subscribed Active Directory siteFor more information about the data that is replicated to ADAM and how it is used, see the Microsoft TechNet article EdgeSync Replication Data (http://technet.microsoft.com/en-us/library/bb232177.aspx).
A mail exchanger (MX) resource record for your domain must be registered on Internet DNS servers, and the MX record must point to the external IP address of Forefront TMG.Forefront TMG can use a specific IP address for outbound mail, or use DNS to locate the Mail Exchange (MX) record of the remote SMTP server. In this case TMG will query DNS for the IP address in the MX record, which Forefront TMG uses to deliver the mail. If you select this routing method, verify that your DNS server can successfully resolve names on the Internet.
You should you install these mail protection technologies (and their prerequisites) on each array member, in the following order: Install Active Directory Lightweight Directory Services (required by EdgeSync). For instructions, see Installing Active Directory Lightweight Directory Services (http://technet.microsoft.com/en-us/library/ee207141.aspx#AD_LDS).Install the Exchange Server Edge Transport Transport role. For instructions, see Installing the Exchange Server Edge Transport role (http://technet.microsoft.com/en-us/library/ee207141.aspx#installEdge). If you have already installed Forefront TMG, you must remove Windows PowerShell 1.0 before installing Exchange. See Removing Windows PowerShell1.0 (http://technet.microsoft.com/en-us/library/ee207141.aspx#PW1) for instructions. Install Forefront Protection 2010 for Exchange Server. For instructions, see Installing Forefront Protection 2010 for Exchange Server (http://technet.microsoft.com/en-us/library/ee207141.aspx#installProtection).Install Forefront TMG. For instructions, see the Microsoft TechNet articleInstalling Forefront TMG (http://technet.microsoft.com/en-us/library/cc441440.aspx).
Configuring SMTP protection involves creating a e-mail policy, which can be done through the E-mail Policy Wizard. The E-mail Policy contains the settings in the following areas:SMTP RoutesSpam FilteringVirus FilteringContent Filtering
The first step in creating the e-mail policy is to configure how Forefront TMG routes mail traffic to and from the internal Simple Mail Transfer Protocol (SMTP) servers in your organization. The Exchange Edge Transport server installed on your Forefront TMG server acts as a relay between your internal SMTP servers and those outside your organization, and applies the e-mail policy that you create to mail in transit. In Forefront TMG, these mail routes are called SMTP routes. You must create at least two routes, as follows: On the Internal_Mail_Servers route, you enter the IP addresses of your internal mail servers and the SMTP domains of your mail organization (what are known as accepted authoritative domains in Microsoft Exchange), and networks from which mail may be sent. This instructs Forefront TMG to accept and relay internal mail only from these authorized networks, IP addresses and domains.On the External_Mail_Servers route, you define from which networks mail is allowed to enter the mail organization, select the mail routing method to use to send internal mail to external networks, and enter the publicly registered FQDN or IP address that external mail servers should use as the address for your mail organization. Each SMTP route has an e-mail listener which responds to mail requests from permitted IP addresses and networks.You can create these initial SMTP routes with the E-mail Policy Wizard; and then create additional routes by using the Create SMTP Route Wizard.In order to configure SMTP routes, you must install the Exchange Edge Transport server role and Forefront Protection 2010 for Exchange Server (FPES)on each Forefront TMG server in the array.
Spam Filtering options are configured in the Spam Filtering tab.
The Spam Content filter evaluates inbound e-mail messages, and assesses the probability that an inbound message is legitimate or spam. The filter assigns a spam confidence level (SCL) rating to each inbound message that comes from the Internet. The SCL rating is a number between 1 and 9; the higher the rating, the greater the likelihood that the message is spam. You can configure the Content Filter agent to take the following actions on messages according to their SCL rating:Delete the message.Reject the message.Quarantine the message.For example, you might determine that messages that have an SCL rating of 7 or higher must be deleted, messages that have an SCL rating of 6 must be rejected, and messages that have an SCL rating of 5 must be quarantined.You can adjust the SCL threshold behavior by assigning different SCL ratings to each of these actions. Setting a low value will cause too many messages to be rejected as spam; setting a high value will allow too many to pass through.The Content Filter is the last filter to scan inbound messages. Therefore, the settings of the SCL thresholds and threshold actions are very important. If you set the SCL thresholds too high, you might not reduce the spam that enters your organization. If you set the SCL thresholds too low, the risk is that you will block messages from legitimate users.On the Content Filtering properties sheet, you can customize the following:Custom Words – Define custom words and set custom key words for tagging messages to be filtered or not filtered.Exceptions – Designate recipients for which content filtering will not be used.Action – Configure the spam confidence level (SCL) thresholds and set the action to take on messages based on their SCL rating.
Virus filters – Forefront TMG lets you employ multiple scan engines (up to five) to detect and clean viruses from e-mail attachments. Multiple engines provide extra security by enabling you to draw upon the expertise of various virus labs to keep your environments virus-free; a virus might slip by one engine, but it's unlikely to get past three.The intelligent engine selection policy setting controls how many of the selected engines should be used in order to provide you with an acceptable probability that your system is protected (because there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater is the impact on your system's performance.File filters – Identify unwanted file attachments within e-mail messages. You can filter file attachments based on file type, filename, and prefix. Message body filters – Identify unwanted e-mail messages by analyzing the contents of the message body. By creating keyword lists, you can filter messages based on a variety of words, phrases, and sentences. About keyword list syntax rulesThe following are the syntax rules for a keyword list:Each item (line of text) is considered a search query.Queries use the OR operator. It is considered to be a positive detection if any entry is a match.Queries can contain operators that separate text tokens. Such queries are called expressions. The following logical operators are supported. There must be a space between an operator and a keyword, represented in the examples by the • character:_AND_ (Logical AND). For example: apple•_AND_•orange juice_NOT_ (Negation). For example: apple•_AND__NOT_•juice_ANDNOT_ (Same as _AND__NOT_). For example: apple•_ANDNOT_•juice _WITHIN[#]OF_ (Proximity). If the two terms are within a specified number of words of each other, there is a match. For example: free•_WITHIN[10]OF_•offer. (If free is within 10 words of offer, this query is true.)_HAS[#]OF_ (Frequency). Specifies the minimum number of times the text must appear for the query to be considered true. For example: _HAS[4]OF_•get rich quick. If the phrase "get rich quick" is found in the text four or more times, this query is true. This operator is implicitly assumed and has a default value of 1 when it is not specified.Multiple _AND_, _NOT_, _HAS[#]OF_, and _WITHIN[#]OF_ operators are allowed in a single query. The precedence of the operators is (from highest to lowest): 1) _WITHIN[#]OF_ 2) _HAS[#]OF_ 3) _NOT_ 4) _AND_ This precedence cannot be overridden with parentheses.The logical operators must be entered in uppercase letters. Phrases can also be used as keywords, for example, apple juice or get rich quick.Multiple blank spaces (blank characters, line feed characters, carriage return characters, horizontal tabs, and vertical tabs) are treated as one blank space for matching purposes. For example, A••••B is treated as A•B and matches the phrase A•B.In HTML encoded message texts, punctuation (any character that is not alphanumeric) is treated as a word separator similar to blank spaces. Therefore, words surrounded by HTML tags can be properly identified by the filter. However, note that the filter <html> matches <html>, but not html.
