Secure Mail Relay

Protezione delle mail

Full featured SMTP hygieneExchange Edge Transport for SMTP stack

Requires valid license

Integrated with Microsoft® Forefront™ Protection 2010 for Exchange Server

AntimalwareAntispamAntiphishing

Also supports generic SMTP mail servers

Vantaggi di una e-mail policy con Forefront TMG

Protection on the edge saving processing resources, bandwidth, and storage

Integrated management—When you create an e-mail policy using Forefront TMG, you configure the settings in the Forefront TMG Management console, and then Forefront TMG applies your configuration to Exchange Edge and FPES

Extended management—Forefront TMG allows you to deploy multiple servers in an array, and manage those servers from a single interface. This is true for the e-mail protection feature, which is a benefit not available to other Exchange and FPES deployments

Native support for Network Load Balancing (NLB)—Using NLB and a virtual IP address, you can deploy more Forefront TMG servers at a single point of entry, thereby processing more mail traffic

FunzionalitàProtection at the edge

Protects mail at the edge of the organization with Forefront Protection 2010 for Exchange Server

Advanced protection and premium antispamMultiple scan engines to protect against malware and provide a premium antispam solution

Integrated managementEasy management of Microsoft Exchange Server Edge role and Forefront Protection 2010 for Exchange Server through Forefront TMG

Array deploymentSupport for managing and load balancing traffic among multiple servers

Forefront Protection for Exchange e Mail Flow

Ricezione mail da client

esterno

Applicazione regole firewall

FPE effettua le verifiche a livello edge a applica uno

«stample»

Passaggio da Edge a Hub attraverso il firewallUlteriore verifica delle regole

Se è presente FPE sull’hub, si attiva solo in mancanza di uno

stample

Verifica stample AV e anti-malware

Forefront Protection e Ruoli Exchange

FPE can be implemented on a single role machine or on a machine that includes three roles

The configuration options that FPE allows you to implement will vary according to the role for which it was implemented

FPE does not support installations on a CAS-only role because there is no workload to protect

NOTE If you have multiple Exchange servers, you can install and configure FPE on a single Exchange server and later export and import the configuration settings to your other Exchange servers. However, you must install FPE on each separate server before you can mport the configuration settings

To export the configuration file to an .xml file Export-FseSettings -path c:\ConfigSettings\Export.xmlTo export all extended optionsGet-FseExtendedOption -name * >> c:\ConfigSettings\Extended.txt

Forefront Protection e Ruoli Exchange

Forefront Protection Processing Decision

The user also has a direct influence on the message’s acceptance, based on the local

rules created in Outlook

Next, the content analysis will determine whether there is any anomaly on the email body that matches any configured policies

In the protocol analysis, another set of tests , such as a test to determine whether the sender is listed as allowed or blocked, is

performed

The source analysis performs various tests, such as determining whether the source IP

is allowed or if it belongs to a block list

9

Interfaccia di amministrazione centralizzata

Le componenti

11

Le componentiMicrosoft Products

Forefront Protection 2010 for Exchange Server

Microsoft® Exchange Server® 2007 (or 2010) Edge Transport

Forefront Threat Management Gateway

Windows Server® 2008 x64

Funzionalità

Feature Exchange Edge Role

FPE 2010 Filter

IP Allow / Block Lists Connection FilterIP Allow / Block List Providers

(custom) (FF DNSBL)

Sender / Recipient Filtering, Sender ID

Protocol Filter

Sender Reputation Content FilterBasic Content Filtering

(SmartScreen)

Premium Antispam (Cloudmark) File Filtering Message Body Filtering Antivirus and Antispyware Forefront TMG cannot manage Subject Line, Sender-Domain, or Allowed Senders in FPE

Configurazione della protezione SMTP

14

InstallazioneIn each member of the Forefront TMG array:

Install Active Directory® Lightweight Directory Services (AD LDS)Install Exchange Server 2007 SP1 (or 2010) Edge Transport roleInstall Forefront Protection 2010 for Exchange ServerInstall Forefront Threat Management Gateway 2010

15

Dettaglio : Installazione Edge Transport Server

• Install the prerequisite software : open \Scripts directory on the installation media and enter the following command

ServerManagerCmd.exe –InputPath Exchange-Edge.XML

• Install the Edge Transport Server

• Configure the EdgeSync Service : open an Exchange Management Shell and enter the following command

New-EdgeSubscription –FileName C:\Edge-TMG.XML

• Copy the Edge-TMG.XML file to the internal Hub Transport Server and import it there : open an Exchange Management Shell and enter the following commands:

$Temp = Get-Content -Path "C:\Edge-TMG.xml" -Encoding Byte -ReadCount 0New-EdgeSubscription -FileData $Temp -Site "Default-First-Site"Start-EdgeSynchronization

16

Dettaglio : Installazione Forefront Protection for Exchange

Choosing to Enable Antispam now will disable Exchange’s content

filtering agent, if it is currently enabled. Uninstalling FPE will not re-

enable Exchange’s content filtering agent; re-enabling

the filtering agent must be done manually

17

ConfigurazioneRun e-mail policy wizard

Configure SMTP routesConfigure spam filteringConfigure virus and content filtering

Enable and configure EdgeSync

E-Mail Policy Wizard

Impostare il server interno e i domini per cui si è autoritativi

lmost every options are configured for you without additional

configuration , all but content filtering do not go below 6 in

content filtering or most the emails will blocked

Nota : eccezioni alla HTTPs inspection

Creazione di SMTP Routes

Defines how Forefront TMG routes traffic from and to the organization SMTP serversAt least two routes required:

Internal_Mail_Servers define the IP addresses and SMTP domains of the internal mail serversExternal_Mail_Servers define which mail is allowed to enter the organization and the external FQDN/IP address that will receive mail

Each SMTP route has an e-mail listener which responds to mail requests from permitted IP addresses and networks.

Creazione di route

Internal Network

Forefront Security for Exchange (FSE)

``

Exchange Edge Role

External Network

TMG Filter Driver

Network Inspection System (NIS)

Receive Connector Send Connector

Multi-layer Filters

Multi-layer Filters

Anti-virus Engines

Spam FilteringThe anti-spam solution on FPE is composed of four major detection pillars:

SourceProtocolContentClient analysis

To configure these options, under the Antispam option, click Configure. You can run the Windows PowerShell command Set-FseSpamFiltering -enabled $true on the Forefront Management Shell to enable the Antispam feature. This process requires you to restart the Microsoft Exchange Transport service. Another way to enable the Antispam feature is by clicking Enable Antispam Filtering

Configurazione di Spam FilteringDefines spam filtering policy

Connection-level filtering IP Allow List IP Allow List Providers IP Block List Block List Providers

Protocol-level filteringConfiguring Recipient Filtering Configuring Sender Filtering Configuring Sender ID Configuring Sender Reputation

Content-level filtering

24

Spam FilteringConnection-level Filtering

Spam Filtering - IP Allow List

The IP Allow List allows you to add one or more IP addresses that are considered trusted and should always be allowed to send e-mail . You can use this option for example in a scenario where you have partners that you want to categorize them as source trust of e-mails and therefore allow them to send e-mail without passing through the normal SMTP filters . This feature is enabled by default on the Spam Filtering tab

Spam Filtering - Ip Allow List Providers

You can use the IP Allow List Providers dialog box to maintain a list of IP addresses that are known to not be associated with any type of spam activityThe IP Allow List Providers feature is also referred to as safe list servicesThis feature is enabled by default on the Spam Filtering tab,

Spam Filtering - Ip Block List

In contrast with the IP Allow List, the IP Block List allows you to add one or more IP that should never be allowed to establish an SMTP connection with TMGYou want to block this IP during the connect phase (the initial attempt to establish the SMTP connection)

Spam Filtering - Ip Block List provider

You have the capability to add the providers that are known (or suspected) to send spamThis option is enabled by default and you can change the status in the Status drop-down box

29

Spam FilteringProtocol-level Filtering

Spam Filtering - Recipient Filtering

In the Recipient Filtering dialog box, you can specify a list of e-mail addresses or a distribution list that would like to receive e-mails from outside your organization It is very common within an organization to have some distribution lists that are used regularly and those you might want to prevent receiving e-mail from Internet .

Spam Filtering - Sender Filtering

If you learn of a specific e-mail address that is sending lots of spam to your organization and you want to block that source e-mail address from sending messages, you can use the Sender Filtering feature

1. Click the Block Senders tab and notice that by default there is already a filter to block2. Click Add, and then add the e-mail address3. Click OK . Click Add again and then specify the

domain that you want to block4. 5. Click the Action tab to specify the action to be

taken when a message contains one of the senders specified in the Block Senders list

Spam Filtering - Sender ID

The Sender ID feature works by verifying that the source of the message is the organization it claims to be . Sender ID checks the IP address of the sending server against a registered list of servers that the domain owner has authorized to send e-mail .

Spam FilteringContent-level Filtering

Spam Filtering - Content-level Filtering

Delete Messages That Have A SCL Rating Greater Than Or Equal To The message is deleted and the sending server is not notified of the message deletion

Exchange Edge Transport Server (installed on the TMG computer) accepts and then deletes the message

Because the sending server understands that the message was accepted, the sending server doesn’t retry sending the message in the same session

Reject Messages That Have A SCL Rating Greater Than Or Equal To

This option rejects the message by sending one of several SMTP negative responses to the sending server

Quarantine Messages That Have A SCL Rating Greater Than Or Equal To

When using this option you need to specify a mailbox to hold the quarantined e-mail . You must have the mailbox account already created prior to configuring this option . In other words, this option does not create a mailbox for quarantine—it can only use an existing mailbox The numbers that are configured besides each of those option have a range from 0 to 9, where 9 indicates that the e-mail is very likely to be spam and 0 indicates that the e-mail is least likely to be spam . Notice that by default all options are dimmed, but if you select any of those check boxes the option will be enabled . For this example leave all these settings at their default values and click OK to close the dialog box

Virus and Content FilteringConfigures antivirus, file attachment, and message body filtering

Virus filter – Engine selection policy and remediation actionsFile filters – Unwanted file attachments based on file type, filename, and prefixMessage body filters – Identify unwanted e-mail messages by applying keyword lists to the contents of the message body

Virus and Content Filtering

Virus and Content Filtering - ConfigurationOn the Engines tab you can select up to five engines that will be used for transport

scanning (inbound and outbound messages

You can also select how the engines will be used to scan the messages by selecting one of the following options:

Always Scan With All Selected Engines Using this option Forefront Protection 2010 for Exchange Server queues messages for scanning if any of the selected engines becomes busy, such as during signature updates or heavy e-mail traffic times .Scan With The Subset Of Selected Engines Which Are Available This option scans using all selected engines . Scans alternate between engines when one of the selected engines is busy . Scan With A Dynamically Chosen Subset Of Selected Engines Using this option Forefront Protection 2010 for Exchange Server heuristically chooses from the selected engines, based on recent results and statistical projectionsScan With Only One Of The Selected Engines Using this option only one of the selected engines listed in this dialog box is used to scan any single object

Note When selecting multiple engines it is important to consider performance and sizing of the server. CpU utilization can increase 20 to 40 percent depending on bias and engines.