sim331 high-accuracy spam filtering multiple virus-scanning engines hub transport mailbox external...
TRANSCRIPT
Microsoft Forefront Online Protection for Exchange and Microsoft Office 365: Better Together!
Harpreet Singh Juneja Sridhar Chandrashekar
SIM331
Agenda
FOPE in Office 365 Beta, An OverviewFOPE Admin Center integration in Exchange Control PanelJunk Mail Management Options FOPE Connectors to control mail flow E2E
Session Objective:Understand FOPE effectiveness, reliability and robustnessFOPE Admin Center is a powerful tool for Office 365 customersFOPE Connectors provide remarkable flexibility in email routing
z
Forefront Online Protection for Exchange
High-accuracy spam filteringMultiple virus-scanning engines
Hub Transport Mailbox
External Email
About 90% ofemail is junk
Tuned for enterprise emailIncluded with Exchange Online subscription
Built-in protection for Exchange Online customers
SPAM Protection
Safe senders
FOPE Inbound Filtering
SpamPrevention
If server down, E-mail queued for
up to 5 days
E-mail enters the global data center network – MX
(mail.messaging.microsoft.com)
DirectoryServices
SPAM prevention
IP Reputation based Filtering
Reputation
database
Mail addressed to non existent users if rejected
Mail form IP Spammers are blocked
Look up e-mail filtering settings for domain
Virus Scanning
Kaspersky
Symantec
Authentium
Policy Enforcement
Custom Policy Rules
Attachment and message attribute
management
Custom Spam Filter management
Rules Based Scoring
Fingerprint Engines
Content and Policy Quarantine
SPAM Quarantine
SPAMSPAMSPAM
E-mail server available?
Delivered in a flow-controlled fashion
when server is available
Queue
Mailbox
Store
SPAMSPAM
SMTP Reject: 5xx
Spam Analysts
Customer Feedback
False +ve / -ve
Sync
FOPE Outbound Filtering
Look up e-mail filtering settings for domain
Virus Scanning
Kaspersky
Symantec
Authentium
Policy Enforcement
Custom Policy Rules
Attachment and message attribute
management
SPAM Protection
Custom Spam Filter management
Rules Based Scoring
Fingerprint Engine
Content and Policy Quarantine
Mail Server
Spam Analysts
High Risk Delivery Pool
Score > 300
Outbound Pool
Score < 300
SEWR
Safe senders
FOPE Service Level Agreement (SLAs)
FOPE SLA related to mail hygiene added to the current Exchange Online SLA
Filtering NetworkPerformance
Spam and VirusFiltering Effectiveness
Rapid Email Delivery(Average delivery commitment
of less than 1 minute)
Network Uptime> 99.999%
100%
Known VirusProtection
> 98%
SpamDetection
< 1:250,000
False Positive Ratio
FOPE Admin Center
Provides Office 365 customers with a new level of control
Run real-time reports Configure policy filteringPerform message tracking Customize spam settingsOffice 365 customers can access FOPE Admin Center
Use FOPE Admin Center for these tasks
• Domain Management– Filtering Only customers
• Message Trace– Outside your organization
• Transport rules to control mail hygiene and corresponding mail delivery
– Configure org-wide safe/blocked senders– Configure granular anti-spam settings
• View reports on email hygiene
• Configure and Control End to End Email Flow– Configure Connectors
• Domain Management– Office 365 customers (Hosted Email)
• Message Trace– Within your organization
• Transport rules to control email delivery
• Configure journaling of emails to external archive
Use Exchange Control Panel for these tasks
When to use Admin Center vs. the Exchange Control Panel
Permissions Mapping
Permissions mapping between Exchange Online and FOPE
Exchange Online Console FOPE Admin Center
Billing Administrator No access
Global Administrator Full Admin privileges
Password Administrator Admin Read-only privileges
Service Administrator No access
User Management Administrator No access
Outlook/OWA junk mail
FOPE Spam Quarantine
Where does suspect spam go?
Outlook junk mail folder (default)
FOPE Quarantine
Spam quarantine notifications
None Every 3 days (daily when Recipient filtering ON)
Personal block sender list
Configured in Outlook Not available
Personal safe sender list
Configured in Outlook Not available
Junk Mail Management
Two additional configurations can be done in FOPE:Spam RedirectionSubject Modification
Default
Direct access to Junk Mail folder
Block/allow senders directly within message
Manage safe/block sender lists directly in Outlook or Outlook Web App
• Default approach: users manage junk mail in Outlook/OWA
Junk Mail Management in Office 365 Exchange Online
• FOPE quarantine can be used instead of the integrated Outlook experience
• Admins will have SSO access to Quarantine
Junk Mail Management (cont.)
Flexibility to use FOPE Spam Quarantine
Outbound Connector (controls email sent from your domain)
Inbound Connector (controls email sent to your domain)
Connection Security Filtering
Source IPSource Domain
Reject non Source IP
Opportunistic TLS Forced TLS SpamConnection Policy
Connection Security Delivery
Opportunistic TLS Forced TLS Smart host MXDestination domain
FOPE Connector Architecture
FOPE Connectors: Flexibility and control in mail routing
Route outbound email through on-premises servers or DLP appliances
Force TLS for secure B2B communication
Bypass spam filters for trusted partners
And much, much more…
All external recipients
Contoso.com
DLP appliance
Outbound smart host
Forced TLS
Inbound safe listing
nwtraders.com
litware.com
FOPEEdge
Policy
Spam
From: [email protected]: [email protected]
Contoso.com
DLP appliance or service
Outbound Smart Host Scenario
FOPE routes outbound email to smart host for custom mail process or delivery
Virus scanning is performed by FPE for Exchange Online mailboxes
Internet
Service.contoso.com
Mailboxes
Outbound Connector
Value PropositionUse DLP or encryption appliances from third partiesPerform custom processing or address rewriteMaintain “total mail control” during coexistence (inbound and outbound mail is all routed through on-prem server
Virus*
EXCHANGE ONLINE
Edge
Policy
From: [email protected]: [email protected]
Inbound Safe Listing Scenario
Inbound mail is filtered by FOPEIP filtering is skipped for trusted domainsOptionally, also skip spam and policy filtering
Virus scanning is performed by FPE for Exchange Online mailboxes Contoso.com
Mailboxes
Fabrikam.com
Mailboxes
Safe-listed Partner
Inbound Connector
Value Proposition
Reduce the chance of false positives (legitimate email from trusted partner being flagged as spam)
Virus*
Spam
FOPE
woodgrovebank.com
Mailboxes
Business Partner
FOPEEdge
Policy
Spam
Opportunistic TLS is on by default for Office 365 customers (no action is required to enable it)
Forced TLS Scenario
TLS can be forced for inbound connections, outbound connections, or bothFOPE attempts to set up a TLS connectionIf TLS cannot be established, email is not sent/received Virus scanning is performed by FPE for Exchange Online mailboxes
Forced TLS can be configured using the methods shown here
Contoso.com
Mailboxes
Outbound Connector
Inbound Connector
Value Proposition• Maintain secure and trusted
communication channel with partners
• Avoid email interception/ eavesdropping
Virus*
EXCHANGE ONLINE
How to configure FOPE Connectors
http://technet.microsoft.com/en-us/library/gg430178.aspx
• Docs and video tutorials available on TechNet
Inbound FOPE Connector
• Inbound connectors apply to inbound mail
• This connector shows the “Forced TLS Scenario”: incoming messages from fabrikam.com will be secured with TLS
Outbound FOPE Connector
• Outbound connectors apply to outbound mail
• This connector shows the “Outbound Smart Host Scenario”: all outgoing mail will be routed to Contoso’s on-premises mail servers for additional processing
FOPE Connector Reporting
• Viewing Information About FOPE Connectors
• View connector information in reports, using the My Reports tab
• Trace connector activity by viewing the Message Trace Summary page
Two options for mail routing
MX record pointed to the cloud
MX record pointed on-premises
• Why? Least disruptive option for most customers• Recommended in our documentation
for Exchange Online coexistence (Simple and Rich)• Mail forwarders are auto-configured when a mailbox is moved to the
cloud using our tools• “Shared Address Space with On-Premises Relay”
• Why? Customers can stop doing AV/AS themselves and reduce dependence on local mail server
• How? • FOPE passes all email to Exchange Online
• Mail-enabled users route email to on-prem users• FOPE subscriptions are required for on-premises users• “Shared Address Space with FOPE Relay”
Message and Recipient Limits
Key limits to know
• FOPE and Exchange Online enforce limits in order to:• Prevent spammers from using the platform as a spam factory• Ensure rapid mail delivery times and service health
• Exchange Online has limits that are more restrictive than FOPEDetails Notes
Maximum message size
25 MB2 MB for large distribution groups (5000+ recipients)
• These limits cannot be raised• Customer can reduce maximum attachment
size, using transport rules
Recipient limits
500 recipients per message1500 recipients per day
• A shared distribution group counts as 1 recipient
• Enforced based on a hidden counter in the mailbox
Message rate 30 messages per minute • Okay to submit messages at faster rate, but system will change rate of delivery
Business Ready Security Demo 4.0i
BRS 4.0i New! FPSMC RTW IncludedNew! FPSMC HOLNew! FPE/FPSP Rollup Updates
End to end demo environmentAll Identity and Security Solutions/Technologies 7 GB size zipped/installer package
Demo scripts/architecture overview documentation providedAvailable as download
http://go.microsoft.com/fwlink/?LinkId=190269
Distribution List: [email protected]
Related Content
Breakout Sessions SIM 309 - Microsoft Forefront Online Protection for Exchange Advanced Routing Scenarios Deep DiveSIM 326 - Microsoft Forefront End-to-End Protection for Information Worker BusinessSIM 333 - Centralized Management of Anti-Malware/Anti-Spam Using Microsoft Forefront Protection Server Management ConsoleSIM 334 - Microsoft Forefront Online Protection for Exchange Deep Dive
Find Me Later At… [email protected]
Interactive Sessions (SIM378-INT, Microsoft Forefront Online Protection for Exchange and Microsoft Office 365 Demos)
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
Business Ready Security Demo 4.0i (cont.)Solution Scenarios
Secure Messaging Seamless, secure access through Unified Access Gateway (UAG)Automatically control confidential email with built-in information protectionProtect Exchange with multiple best-in-class anti-malware engines using FPECentralized management experience with FPSMCOutlook Web Access 2010 integration with AD RMSOutlook 2010 automatic protection
Secure Collaboration Solution Secure collaboration by using AD FS and AD RMS (for Partner employees)Protection your collaboration portal from malware infection using FPSPCentralized management experience with FPSMCSecure collaboration by using UAG (for Internal employees)
Secure Desktop Solution Advanced threat protection with Forefront TMG 2010Malware protection when not connecting to the company networkMalware protection using FEP FEP Deployment and Management using SSCMDirect Access with Unified Access Gateway (UAG)
Information Protection Solution Protecting data-in-motion with Exchange 2010 and AD RMSProtecting data-at-rest with SharePoint 2007, AD FS and AD RMSProtection data-at-rest with File Classification Infrastructure (FCI) and AD RMS
Identity and Access Management Solution
Group management with FIM 2010 and OutlookSelf-service password reset with FIM 2010
Links & Resources
Forefront Site http://www.microsoft.com/forefront/
Forefront on TechNet Library http://technet.microsoft.com/en-us/library/ff684056.aspx
Forefront Videos on TechNet Edge
http://technet.microsoft.com/en-us/edge/ff832960.aspx?category=Forefront
FOPE/Exchange documentation says What this means in layman’s terms
“Outbound Smart Host” Route outbound mail through a DLP device
“Regulated partner with forced TLS” Forced TLS
“Inbound safe listing“ Bypass spam filtering for domains I trust
“Shared address space with on-premises relay” Coexistence: Customer’s MX record is pointed on-premises
“Shared Address Space with Cloud Relay” Coexistence: Customers’ MX record is pointed to the cloud (virtual domains method)
http://technet.microsoft.com/en-us/library/gg430178.aspxhttp://help.outlook.com/en-us/beta/Dd775210.aspx
Understanding Terminology
FOPE
Edge
Virus
Policy
Spam
EXCHANGE ONLINE
Mailboxes
INTERNET
• Mail is sent outbound• Virus scanning is performed by FPE on
Exchange Online servers• FOPE filters as outbound• FOPE delivers to Internet
Fully hosted: Inbound and Outbound
Contoso signs up for Exchange Online Exchange Online has provisioned tenant in FOPEMail sent to FOPEFOPE filters inbound mailVirus scanning is performed by FPE on Exchange Online serversMail is delivered to the recipient’s mailbox
InboundFrom: [email protected]: [email protected]
OutboundFrom: [email protected]: [email protected]
contoso.com
Mailboxes
On-Premises Exchange
Customer Mail Processing/Filtering
EXCHANGE ONLINE
Mailboxes
FOPE
Edge
Policy
Spam
INTERNET
Shared Address Space with On-Premises Relay Scenario (MX Points to FOPE) - Inbound
MX points to FOPE for spam processing, filtering, and scanningMail is routed to on-premises server, and if mailbox does not exist on-premises, mail is routed back to FOPEFOPE forwards mail to hosted mailboxVirus scanning is performed by FPE for Exchange Online mailboxes
InboundFrom: [email protected]: [email protected]
service.contoso.com
contoso.com
Inbound FOPE Connector
Inbound Exchange Receive Connector
Outbound Exchange Send Connector
Virus*
Mailboxes
On-Premises Exchange
Customer Mail Processing/Filtering
EXCHANGE ONLINE
Mailboxes
FOPE
Edge
Policy
Spam
INTERNET
Shared Address Space with On-Premises Relay Scenario (MX Points to FOPE) - Outbound
Scanning by Forefront Protection for Exchange on Microsoft Exchange Online mail hubsDelivery to FOPE for scanningDelivered to on-premises Exchange serverCustom processing on premisesOutbound delivery to FOPEDelivery to Internet
OutboundFrom: [email protected]: [email protected]
service.contoso.com
contoso.com
Outbound Exchange Send Connector
Outbound FOPE Connector
Inbound Exchange Receive Connector
Virus*
Mailboxes
On-Premises Exchange
Customer Mail Processing/Filtering
EXCHANGE ONLINE
Mailboxes
FOPE
Edge
Virus
Policy
Spam
Shared Address Space with On-Premises Relay Scenario (MX Points to FOPE) – Intra-Org
Hosted mailbox sends mail outboundDelivery to FOPE (virus scanning disabled by default; policy rules dependent on customer configuration)Delivery to on-premises mailbox
OutboundFrom: [email protected]: [email protected]
service.contoso.com
contoso.com
Outbound Exchange Send Connector
Outbound FOPE Connector
Inbound Exchange Receive Connector
Inbound FOPE Connector
Mailboxes
On-Premises
Customer Mail Processing/Filtering
EXCHANGE ONLINE
Mailboxes
FOPE
Edge
Policy
Spam
INTERNET
Shared Address Space with On-Premises Relay Scenario (MX Points to On-Premises) - Inbound
MX points to on premises for initial filteringCustom filtering, archival etc. done on-premisesCloud mail is re-directed to FOPE where it is filteredDelivered to Exchange OnlineVirus scanning is performed by FPE for Exchange Online mailboxes
InboundFrom: [email protected]: [email protected]
service.contoso.com
contoso.com
Outbound Exchange Connector
Inbound FOPE Connector
Virus*
Mailboxes
On-Premises
Customer Mail Processing/Filtering
EXCHANGE ONLINE
Mailboxes
FOPE
Edge
Policy
Spam
INTERNET
Shared Address Space with On-Premises Relay Scenario (MX Points to On-Premises) - Outbound
Hosted mailbox sends mail outboundVirus scanning is performed by FPE for Exchange Online mailboxesFiltered by FOPE Delivered to on-premisesCustom processing on-premisesDelivery by on-premises
OutboundFrom: [email protected]: [email protected]
service.contoso.com
contoso.com
Outbound FOPE Connector
Inbound Exchange Connector
Virus*
EXCHANGE ONLINE
Mailboxes
FOPE
Edge
Virus
Policy
Spam
Mailboxes
On-Premises
Customer Mail Processing/Filtering
Shared Address Space with On-Premises Relay Scenario (MX Points to On-Premises) – Intra Org
MX points to on-premises for initial filteringCustom processing on-premisesDelivery to FOPE Filtering skippedDelivery to Exchange Online by FOPE
Intra OrgFrom: [email protected]: [email protected]
service.contoso.com
contoso.com
Outbound Exchange Connector
Inbound FOPE Connector
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.