Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft...

57
Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201

Transcript of Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft...

Page 1: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Understanding Microsoft Forefront Online Protection for ExchangeNathan Winters

Microsoft Corporation

EXL201

Page 2: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Agenda

FOPE Overview?Setup and ConfigurationAdministrationPolicies and ConnectorsMail RoutingQuestions

Page 3: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

FOPE

Overview

Page 4: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Ed

ge B

lock

ing

End User Quarantine

AdministratorConsole

Corporate Network

MessagingAdministrator

Employees

Inbound FilteredEmail

About 90% ofEmail is junk

Outbound Filtered Email

External Senders/ Recipients

Exchange Server

Anti-spam

Antivirus

Policy

Automatic Spooling

* Encryption

* Requires additional Exchange Hosted Encryption License

Active Directory

FOPE Directory Synchronization Tool

LegitimateEmail

Junk Email

Forefront Online Protection for ExchangeMulti-layer spam and malware protection with flexible policy enforcement

Page 5: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Where can FOPE be deployed?

• Every Office 365 customer is a FOPE customerOffice 365

• Protects any on-premises & hosted email implementationStandalone

• Integrates FPE/FOPE policies across on-premises & cloud environments

Hybrid Scenarios

Page 6: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Rapid Email Delivery

Average delivery commitment

of less than 1 minute

Network Uptime> 99.999%

100%

Known VirusProtection

> 98%

SpamDetection

< 1:250,000

False Positive Ratio

Network Performance

Spam & Malware Filtering

These are part of the Exchange Online SLA & FOPE SLA

FOPE SLA only

FOPE Service Level Agreements

Page 7: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

User Inbox

User Junk Email Folder

Administrator Quarantine

Connection Filtering1

Content Filtering3

Sender-Recipient Filtering2

Blocks up to 80% of all spam based on IP block/allow lists.

Blocks up to 5% of all spam based on internal lists and heuristics.

Blocks up to 15% of all spam based on internal lists and sender reputation.

Multi-Layered Anti-Spam Protection

Connection Filtering

Sender-Recipient Filtering

Content Filtering

Filtering based on connection, sender, recipient and content for best results

Page 8: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

SPAM Protection

Safe senders

FOPE Inbound Filtering

SpamPrevention

If server down, E-mail queued for up

to 5 days

E-mail enters the global data center network – MX

(mail.messaging.microsoft.com)

DirectoryServices

SPAM prevention

IP Reputation based Filtering

Reputation database

Mail addressed to non existent users if rejected

Mail form IP Spammers are blocked

Look up e-mail filtering settings for domain

Virus Scanning

Engine 1

Engine 2

Engine 3

Policy Enforcement

Custom Policy Rules

Attachment and message attribute management

Custom Spam Filter management

Rules Based Scoring

Fingerprint Engines

Content and Policy Quarantine

SPAM Quarantine

SPAMSPAM

SPAM

E-mail server available?

Delivered in a flow-controlled fashion when server is

available

Queue

Mailbox

Store

SPAMSPAM

SMTP Reject: 5xx

Spam Analysts

Customer Feedback

False +ve / -ve

Sync

SEWR

Page 9: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

FOPE Outbound Filtering

Look up e-mail filtering settings for domain

Virus Scanning

Engine 1

Engine 2

Engine 3

Policy Enforcement

Custom Policy Rules

Attachment and message attribute management

SPAM Protection

Custom Spam Filter management

Rules Based Scoring

Fingerprint Engine

Content and Policy Quarantine

Mail Server

High Risk Delivery Pool

High Spam Score

Outbound Pool

Low Spam Score

Safe senders

Page 11: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

FOPE Setup and Provisioning

Step Required? 1. First Time Log on to the FOPE Administration Center

Yes

2. Validate and Enable Domains Yes. For Office 365 users, consult your Office 365 documentation instead of this topic.

3. Add Other Domains If DesiredRequired only if your company uses multiple domains with FOPE. For Office 365 users, consult your Office 365 documentation instead of this topic.

4. Set up Inbound Email Filtering:1. Update your MX record2. Restrict incoming traffic to FOPE3. Set Up Email Deferral Notifications

1.Yes2.Yes3.Optional but highly recommended.

5. Set up Outbound Email Filtering Required only if you are using FOPE to filter outbound email.

6. Verify the FOPE Setup Optional but highly recommended.

Page 12: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Best Practices for Configuring FOPE

Directory SynchronizationSetup SPF Records

"v=spf1 include:spf.messaging.microsoft.com ip4:127.0.0.3 -all"

Network Connection Settings (SMTP config)SecuritySetup Routing with Virtual DomainsAllow users to report false positives

[email protected]

Page 13: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

demo

NameTitleGroup

Administration

Page 14: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.
Page 15: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.
Page 16: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

ReportingAccess reporting data from your FOPE serviceCreate, edit, and delete reports in the My Reports tabReport on all or some of your domains4 Available Reports:

Email Traffic ReportTop Viruses ReportDeferral ReportTop Users Report

Information is returned in graphs and tablesEnable scheduled report delivery: emails the report on a one time, weekly, or monthly basis

Page 17: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.
Page 18: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.
Page 19: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.
Page 20: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.
Page 21: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.
Page 22: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Quarantine, Reporting, Trending & DR numbers

Message Trace is past 30 daysDeferral, Policy, Virus Detail data for 90 daysUser Traffic for 14 weeks15 days of quarantine by defaultData held in queue for 5 days

Page 23: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

FOPE

Managing Junk Mail

Page 24: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Junk Mail Management

Three additional configurations can be done in FOPE:

Spam Redirection – enables viewing all spam from one placeX-Header – deliver mail normally but add X-Header to mailSubject Modification – Change

Page 25: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Direct access to Junk Mail folder

Block/allow senders directly within message

Manage safe/block sender lists directly in Outlook or Outlook Web App

Default approach: users manage junk mail in Outlook/OWA Junk Mail Management in Exchange Online

Page 26: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Junk Mail Management (cont.)Flexibility to use FOPE Spam Quarantine

Page 27: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Junk Email Reporting Tool

The Junk Email Reporting Tool add-in provides a single click spam reporting directly back to MicrosoftAllows end users to report “False Negatives Submissions” which are spam messages not caught by the FOPE filtersSends email to [email protected] which is monitored by the FOPE Spam Team for analysis

Page 28: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

FOPE

Connectors and Policies

Page 29: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Outbound Connector (controls email sent from your domain)

Inbound Connector (controls email sent to your domain)

Connection Security Filtering

Source IPSource Domain

Reject non Source IP

Opportunistic TLS Forced TLS SpamConnection Policy

Connection Security Delivery

Opportunistic TLS Forced TLS Smart host MXDestination domain

FOPE Connector Architecture

Page 30: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Policy EnforcementScope

Apply the policy to one or all domains

Apply to Inbound or Outbound messages

Match

Words and phrases in the subject and body

Message size

Attachment types

Number of recipients

Sender and recipient addresses and domains

IP address or domain name

Regular Expression

Take Action

Reject message

Allow message

Quarantine message for review

Redirect message to an alternate recipient

Deliver message with BCC

Force TLS

Encrypt message (requires EHE)

Test

Indicate when a rule is to expire, if at all

Create text or HTML e-mail disclaimers or footers

Add a description

Notify sender, recipient, or administrator

Page 31: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Create or Edit a Policy RuleBasic syntax: uses comma-separated values mixed with string-wildcard syntaxBasic syntax examples:

appl* matches appl1234, apple, application, etc.appl? matches appl1, apple, apply, etc.

RegEx syntax: specify more complex expressions that match patterns of text, numbers, or special charactersRegEx syntax examples:

^abc matches abc1234 but not 1234abcabc$ matches 1234abc but not abc1234ab.c matches ab1c, abxc, abyc, etc.\d\d\d\d\s\d\d\d\d\s\d\d\d\d\s\d\d\d\d matches a credit card

Page 32: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

FiltersAdd and manage “Dictionaries” for multiple policy rulesDictionaries are large lists of valuesDictionaries can contain

IP addressesDomainsEmail addressesKeywordsFile names and extensions

Dictionaries must be .txt or .csvBasic syntaxMaximum size per dictionary: 2 MB or 9,000 characters

Page 33: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Encryption via policy rules & enforced in the FOPE cloud; based on Voltage SecureMail technologyIdentity-Based Encryption (IBE) uses email address as ID for public keyNo cost for recipient non-licensed userAll replies and forwards remain encrypted for any mail recipientEncrypted emails are not saved by EHE

Exchange Hosted EncryptionSend encrypted mail to anyone; no prior setup by / for external recipients

Page 34: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Use FOPE Admin Center for these tasks

• Track messages outside your organization• Perform transport-related tasks not available in

transport rules:• Specific header attributes• Custom dictionaries, character sets• Actions such as quarantine or encrypt

• Configure org-wide safe/blocked senders• Configure granular antispam settings

(e.g. backscatter, SPF)• View reports on spam/virus filtering• Configure forced TLS

• Track messages within your organization• Set up transport rules to:

• Add disclaimers to e-mails• Look for keywords and regular expressions in

attachments• Block e-mail sent to the outside world (by

sender, domain, etc)• Moderate e-mail delivery

• Configure journaling of e-mails to external archive

Use Exchange Admin Tools for these tasks

When to use Admin Center vs. the Exchange Admin Tools

Page 35: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

FOPE

Mail Routing Basics

Page 36: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Mailboxes

BUSINESS PARTNER

FOPE

Edge

Policy

Spam

woodgrovebank.com

contoso.com

TLS can be forced for inbound & or outbound connectionsFOPE attempts to set up a TLS connectionIf TLS cannot be established, email is not sent/received

Mailboxes

Outbound Connector

Inbound Connector

• Maintain secure and trusted communication channel with partners

• Avoid email interception/ eavesdropping

Secure Messaging with TLS

Virus*

Opportunistic TLS is on by default for Office 365 customers

(no action is required to enable it)

Inbound Forced TLS option can be used to secure end-to-end communication

ON-PREM / HOSTED

*Virus scanning is performed by FPE for O365 tenants

Page 37: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Setting the TLS configuration on Connectors

Page 38: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

FOPE

Edge

Policy

Spam

From: [email protected]: [email protected]

Contoso.mail.onmicrosoft.com

DLP appliance or service

FOPE routes outbound email to smart host for custom mail process or delivery

INTERNET

Mailboxes

Outbound Connector

Value Proposition• Use data leakage protection (DLP) or

encryption appliances from third parties• Perform custom processing or address rewrite• Maintain “total mail control” during

coexistence (inbound and outbound mail is all routed through on-prem server

Outbound Smart Hosting

contoso.com

Virus*

EXCHANGE ONLINE / ON PREM

*Virus scanning is performed by FPE for O365 tenants

ON PREMISES / HOSTED JOURNAL

Page 39: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Choosing mail routing settings in Hybrid setup

Page 40: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

FOPE

Edge

Policy

From: [email protected]: [email protected]

contoso.com

fabrikam.com

Inbound mail is filtered by FOPEFOPE IP filtering is skipped for trusted domainsOptionally, skip policy and spam filtering Mailboxes

Mailboxes

SAFE-LISTED PARTNER

Inbound Connector

Value Proposition• Reduce the chance of false positives

(legitimate email from trusted partner being flagged as spam)

Inbound Safe Listing

Virus*

Spam

*Virus scanning is performed by FPE for O365 tenants

EXCHANGE ONLINE / ON PREM

Page 41: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Setting the safe listing configuration on Connectors

Page 42: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

FOPE

Mail Routing for O365 Hybrid

Page 43: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Mail Routing During Migration to O365 Two options for mail routing

MX record pointed to the cloud

MX record pointed on-premises

Why? Least disruptive option for most customers. Recommended in our documentation for Exchange Online coexistence (Simple and Rich)Mail forwarders are auto-configured when a mailbox is moved to the cloud using our tools

Why? Customers can stop doing Anti Spam or Mail server blacklist management themselves and reduce dependence on local mail serverHow?

FOPE passes all email to Exchange OnlineUser objects route mail to on-prem users

Note: FOPE subscriptions are required for on-premises users

Page 44: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Mailboxes

ON-PREMISES

Customer Mail Processing/Filtering

EXCHANGE ONLINE

Mailboxes

FOPE

Edge

Policy

Spam

INTERNET

Shared Address Space (On-Premises Relay MX Points to On-Prem) - Inbound

MX points to on premises for initial filteringCustom filtering, archival etc. done on-premisesCloud mail is re-directed to FOPE where it is filteredDelivered to Exchange Online

InboundFrom: [email protected]: [email protected]

contoso.com

Outbound Exchange Send ConnectorInbound FOPE Connector

Virus*

*Virus scanning is performed by FPE for O365 tenants Contoso.mail.onmicrosoft.com

Page 45: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Mailboxes

ON-PREMISES

Customer Mail Processing/Filtering

EXCHANGE ONLINE

Mailboxes

FOPE

Edge

Policy

Spam

INTERNET

Shared Address Space (On-Premises Relay MX Points to On-Prem) - Outbound

Hosted mailbox sends mail outboundVirus scanning is performed by FPE for Exchange Online mailboxesFiltered by FOPE Delivered to on-premisesCustom processing on-premisesDelivery by on-premises

OutboundFrom: [email protected]: [email protected]

contoso.com

Outbound FOPE Connector Inbound Exchange Receive Connector

Virus*

Contoso.mail.onmicrosoft.com

Page 46: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

EXCHANGE ONLINE

Mailboxes

FOPE

Edge

Virus

Policy

Spam

Mailboxes

ON-PREMISES

Customer Mail Processing/Filtering

Shared Address Space Cross Premises Mailflow – Intra Org

It is an internal mailCustom processing on-premisesDelivery to FOPE Filtering skippedDelivery to Exchange Online by FOPE

Intra OrgFrom: [email protected]: [email protected] contoso.com

Outbound Exchange Send Connector

Inbound FOPE Connector

Contoso.mail.onmicrosoft.com

Page 47: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Mailboxes

ON-PREMISES

Customer Mail Processing/Filtering

EXCHANGE ONLINE

Mailboxes

FOPEEdge

Policy

Spam

INTERNET

MX points to FOPE for spam processing, filtering, and scanningMail is routed to Exchange Online, and if mailbox does not exist in the Exchange Online, mail is routed back to FOPEFOPE forwards mail to On-Premise Exchange

InboundFrom: [email protected]: [email protected] contoso.com

Outbound FOPE Connector

Inbound Exchange Receive Connector

Virus*

Shared Address Space with FOPE Relay (MX Points to FOPE O365) – Inbound*Migration to FOPE / Office 365

Contoso.mail.onmicrosoft.com

Page 48: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Mailboxes

ON-PREMISES

Customer Mail Processing/Filtering

EXCHANGE ONLINE

Mailboxes

FOPE

Edge

Policy

Spam

INTERNET

Shared Address Space with FOPE Relay (MX Points to FOPE O365) – Outbound*Migration to FOPE / Office 365

Scanning by Forefront Protection for Exchange on Microsoft Exchange Online mail hubsDelivery to FOPE for scanningFOPE delivers to destinationMail from On premises routed directlyMail from On premises could be routed via FOPE after support call to setup connectors.

OutboundFrom: [email protected]: [email protected]

contoso.com

`Exchange Send Connector

Virus*

Inbound FOPE Connector

Contoso.mail.onmicrosoft.com

Page 49: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

ResourcesAdmin Center: https://admin.messaging.microsoft.com Administrators Guide: http://go.microsoft.com/fwlink/?LinkId=135918 RSS Subscription Feed: http://rss.messaging.microsoft.com FOPE Escalation path and Support SLO: http://go.microsoft.com/fwlink/?LinkId=183846 Get Help Customer Escalations: http://gethelp/Default.aspx Spam submission guide: http://technet.microsoft.com/en-us/library/ff715038.aspx Junk mail reporting tool: http://go.microsoft.com/fwlink/?LinkID=214016 FOPE Setup and Provisioning: http://technet.microsoft.com/en-us/library/ff715252.aspx FOPE Service Description: http://www.microsoft.com/download/en/details.aspx?id=26126 FOPE Support Service Description: http://www.microsoft.com/download/en/details.aspx?id=26803

Page 50: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Q&A

Any questions?

[email protected]://nathanwinters.co.uk@nathanwinters

Page 51: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Related Content

EXL301 – Archiving in the Cloud with Exchange Online Archiving (EOA)

EXL303 – Configuring Hybrid Exchange the Easy Way

Today – EXL307 – Using a Load balancer in your Exchange 2010 environment

Page 52: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Geek Out with Perry Blog: http://blogs.technet.com/b/perryclarke/

Track Resources

Exchange Team Blog: http://blogs.technet.com/b/exchange/

Exchange TechNet Tech Center: http://technet.microsoft.com/exchange

MEC Website and Registration: http://www.mecisback.com/

Page 53: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.
Page 54: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Resources

Connect. Share. Discuss.

http://europe.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Page 55: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

Evaluations

http://europe.msteched.com/sessions

Submit your evals online

Page 56: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.

Page 57: Understanding Microsoft Forefront Online Protection for Exchange Nathan Winters Microsoft Corporation EXL201.