Microsoft Forefront Online Protection for Exchange and Microsoft Office 365: Better Together!

Harpreet Singh Juneja Sridhar Chandrashekar

SIM331

Agenda

FOPE in Office 365 Beta, An OverviewFOPE Admin Center integration in Exchange Control PanelJunk Mail Management Options FOPE Connectors to control mail flow E2E

Session Objective:Understand FOPE effectiveness, reliability and robustnessFOPE Admin Center is a powerful tool for Office 365 customersFOPE Connectors provide remarkable flexibility in email routing

z

Forefront Online Protection for Exchange

High-accuracy spam filteringMultiple virus-scanning engines

Hub Transport Mailbox

External Email

About 90% ofemail is junk

Tuned for enterprise emailIncluded with Exchange Online subscription

Built-in protection for Exchange Online customers

SPAM Protection

Safe senders

FOPE Inbound Filtering

SpamPrevention

If server down, E-mail queued for

up to 5 days

E-mail enters the global data center network – MX

(mail.messaging.microsoft.com)

DirectoryServices

SPAM prevention

IP Reputation based Filtering

Reputation

database

Mail addressed to non existent users if rejected

Mail form IP Spammers are blocked

Look up e-mail filtering settings for domain

Virus Scanning

Kaspersky

Symantec

Authentium

Policy Enforcement

Custom Policy Rules

Attachment and message attribute

management

Custom Spam Filter management

Rules Based Scoring

Fingerprint Engines

Content and Policy Quarantine

SPAM Quarantine

SPAMSPAMSPAM

E-mail server available?

Delivered in a flow-controlled fashion

when server is available

Queue

Mailbox

Store

SPAMSPAM

SMTP Reject: 5xx

Spam Analysts

Customer Feedback

False +ve / -ve

Sync

FOPE Outbound Filtering

Look up e-mail filtering settings for domain

Virus Scanning

Kaspersky

Symantec

Authentium

Policy Enforcement

Custom Policy Rules

Attachment and message attribute

management

SPAM Protection

Custom Spam Filter management

Rules Based Scoring

Fingerprint Engine

Content and Policy Quarantine

Mail Server

Spam Analysts

High Risk Delivery Pool

Score > 300

Outbound Pool

Score < 300

SEWR

Safe senders

FOPE Service Level Agreement (SLAs)

FOPE SLA related to mail hygiene added to the current Exchange Online SLA

Filtering NetworkPerformance

Spam and VirusFiltering Effectiveness

Rapid Email Delivery(Average delivery commitment

of less than 1 minute)

Network Uptime> 99.999%

100%

Known VirusProtection

> 98%

SpamDetection

< 1:250,000

False Positive Ratio

FOPE in Office 365 Beta, An Overview

FOPE Admin Center

Junk Mail Management Options

FOPE Connectors

FOPE Admin Center

Provides Office 365 customers with a new level of control

Run real-time reports Configure policy filteringPerform message tracking Customize spam settingsOffice 365 customers can access FOPE Admin Center

FOPE Admin Center

DEMO

Use FOPE Admin Center for these tasks

• Domain Management– Filtering Only customers

• Message Trace– Outside your organization

• Transport rules to control mail hygiene and corresponding mail delivery

– Configure org-wide safe/blocked senders– Configure granular anti-spam settings

• View reports on email hygiene

• Configure and Control End to End Email Flow– Configure Connectors

• Domain Management– Office 365 customers (Hosted Email)

• Message Trace– Within your organization

• Transport rules to control email delivery

• Configure journaling of emails to external archive

Use Exchange Control Panel for these tasks

When to use Admin Center vs. the Exchange Control Panel

Permissions Mapping

Permissions mapping between Exchange Online and FOPE

Exchange Online Console FOPE Admin Center

Billing Administrator No access

Global Administrator Full Admin privileges

Password Administrator Admin Read-only privileges

Service Administrator No access

User Management Administrator No access

FOPE Single Sign-On

FOPE Single Sign-On (cont.)

FOPE Single Sign-On (cont.)

FOPE Single Sign-On (cont.)

FOPE Single Sign-On (cont.)

FOPE Single Sign-On (cont.)

FOPE in Office 365 Beta, An Overview

FOPE Admin Center

Junk Mail Management Options

FOPE Connectors

Outlook/OWA junk mail

FOPE Spam Quarantine

Where does suspect spam go?

Outlook junk mail folder (default)

FOPE Quarantine

Spam quarantine notifications

None Every 3 days (daily when Recipient filtering ON)

Personal block sender list

Configured in Outlook Not available

Personal safe sender list

Configured in Outlook Not available

Junk Mail Management

Two additional configurations can be done in FOPE:Spam RedirectionSubject Modification

Default

Direct access to Junk Mail folder

Block/allow senders directly within message

Manage safe/block sender lists directly in Outlook or Outlook Web App

• Default approach: users manage junk mail in Outlook/OWA

Junk Mail Management in Office 365 Exchange Online

• FOPE quarantine can be used instead of the integrated Outlook experience

• Admins will have SSO access to Quarantine

Junk Mail Management (cont.)

Flexibility to use FOPE Spam Quarantine

FOPE in Office 365 Beta, An Overview

FOPE Admin Center

Junk Mail Management Options

FOPE Connectors

Outbound Connector (controls email sent from your domain)

Inbound Connector (controls email sent to your domain)

Connection Security Filtering

Source IPSource Domain

Reject non Source IP

Opportunistic TLS Forced TLS SpamConnection Policy

Connection Security Delivery

Opportunistic TLS Forced TLS Smart host MXDestination domain

FOPE Connector Architecture

FOPE Connectors: Flexibility and control in mail routing

Route outbound email through on-premises servers or DLP appliances

Force TLS for secure B2B communication

Bypass spam filters for trusted partners

And much, much more…

All external recipients

Contoso.com

DLP appliance

Outbound smart host

Forced TLS

Inbound safe listing

nwtraders.com

litware.com

FOPEEdge

Policy

Spam

From: Joe@contoso.comTo: sales@fabrikam.com

Contoso.com

DLP appliance or service

Outbound Smart Host Scenario

FOPE routes outbound email to smart host for custom mail process or delivery

Virus scanning is performed by FPE for Exchange Online mailboxes

Internet

Service.contoso.com

Mailboxes

Outbound Connector

Value PropositionUse DLP or encryption appliances from third partiesPerform custom processing or address rewriteMaintain “total mail control” during coexistence (inbound and outbound mail is all routed through on-prem server

Virus*

EXCHANGE ONLINE

Edge

Policy

From: jane@fabrikam.comTo: salesman@contoso.com

Inbound Safe Listing Scenario

Inbound mail is filtered by FOPEIP filtering is skipped for trusted domainsOptionally, also skip spam and policy filtering

Virus scanning is performed by FPE for Exchange Online mailboxes Contoso.com

Mailboxes

Fabrikam.com

Mailboxes

Safe-listed Partner

Inbound Connector

Value Proposition

Reduce the chance of false positives (legitimate email from trusted partner being flagged as spam)

Virus*

Spam

FOPE

woodgrovebank.com

Mailboxes

Business Partner

FOPEEdge

Policy

Spam

Opportunistic TLS is on by default for Office 365 customers (no action is required to enable it)

Forced TLS Scenario

TLS can be forced for inbound connections, outbound connections, or bothFOPE attempts to set up a TLS connectionIf TLS cannot be established, email is not sent/received Virus scanning is performed by FPE for Exchange Online mailboxes

Forced TLS can be configured using the methods shown here

Contoso.com

Mailboxes

Outbound Connector

Inbound Connector

Value Proposition• Maintain secure and trusted

communication channel with partners

• Avoid email interception/ eavesdropping

Virus*

EXCHANGE ONLINE

FOPE Connectors

DEMO

Creating FOPE Connectors

How to configure FOPE Connectors

http://technet.microsoft.com/en-us/library/gg430178.aspx

• Docs and video tutorials available on TechNet

Inbound FOPE Connector

• Inbound connectors apply to inbound mail

• This connector shows the “Forced TLS Scenario”: incoming messages from fabrikam.com will be secured with TLS

Outbound FOPE Connector

• Outbound connectors apply to outbound mail

• This connector shows the “Outbound Smart Host Scenario”: all outgoing mail will be routed to Contoso’s on-premises mail servers for additional processing

FOPE Connector Reporting

• Viewing Information About FOPE Connectors

• View connector information in reports, using the My Reports tab

• Trace connector activity by viewing the Message Trace Summary page

Mail Routing Options

Two options for mail routing

MX record pointed to the cloud

MX record pointed on-premises

• Why? Least disruptive option for most customers• Recommended in our documentation

for Exchange Online coexistence (Simple and Rich)• Mail forwarders are auto-configured when a mailbox is moved to the

cloud using our tools• “Shared Address Space with On-Premises Relay”

• Why? Customers can stop doing AV/AS themselves and reduce dependence on local mail server

• How? • FOPE passes all email to Exchange Online

• Mail-enabled users route email to on-prem users• FOPE subscriptions are required for on-premises users• “Shared Address Space with FOPE Relay”

Message and Recipient Limits

Message and Recipient Limits

Key limits to know

• FOPE and Exchange Online enforce limits in order to:• Prevent spammers from using the platform as a spam factory• Ensure rapid mail delivery times and service health

• Exchange Online has limits that are more restrictive than FOPEDetails Notes

Maximum message size

25 MB2 MB for large distribution groups (5000+ recipients)

• These limits cannot be raised• Customer can reduce maximum attachment

size, using transport rules

Recipient limits

500 recipients per message1500 recipients per day

• A shared distribution group counts as 1 recipient

• Enforced based on a hidden counter in the mailbox

Message rate 30 messages per minute • Okay to submit messages at faster rate, but system will change rate of delivery

Additional Resources

Business Ready Security Demo 4.0i

BRS 4.0i New! FPSMC RTW IncludedNew! FPSMC HOLNew! FPE/FPSP Rollup Updates

End to end demo environmentAll Identity and Security Solutions/Technologies 7 GB size zipped/installer package

Demo scripts/architecture overview documentation providedAvailable as download

http://go.microsoft.com/fwlink/?LinkId=190269

Distribution List: msvmtalk@microsoft.com

Business Ready Security Demo 4.0i cont.

Related Content

Breakout Sessions SIM 309 - Microsoft Forefront Online Protection for Exchange Advanced Routing Scenarios Deep DiveSIM 326 - Microsoft Forefront End-to-End Protection for Information Worker BusinessSIM 333 - Centralized Management of Anti-Malware/Anti-Spam Using Microsoft Forefront Protection Server Management ConsoleSIM 334 - Microsoft Forefront Online Protection for Exchange Deep Dive

Find Me Later At… hsj@microsoft.com

Interactive Sessions (SIM378-INT, Microsoft Forefront Online Protection for Exchange and Microsoft Office 365 Demos)

Track Resources

Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.

You can also find the latest information about our products at the following links:

Windows Azure - http://www.microsoft.com/windowsazure/

Microsoft System Center - http://www.microsoft.com/systemcenter/

Microsoft Forefront - http://www.microsoft.com/forefront/

Windows Server - http://www.microsoft.com/windowsserver/

Cloud Power - http://www.microsoft.com/cloud/

Private Cloud - http://www.microsoft.com/privatecloud/

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.

Appendix

Business Ready Security Demo 4.0i (cont.)Solution Scenarios

Secure Messaging Seamless, secure access through Unified Access Gateway (UAG)Automatically control confidential email with built-in information protectionProtect Exchange with multiple best-in-class anti-malware engines using FPECentralized management experience with FPSMCOutlook Web Access 2010 integration with AD RMSOutlook 2010 automatic protection

Secure Collaboration Solution Secure collaboration by using AD FS and AD RMS (for Partner employees)Protection your collaboration portal from malware infection using FPSPCentralized management experience with FPSMCSecure collaboration by using UAG (for Internal employees)

Secure Desktop Solution Advanced threat protection with Forefront TMG 2010Malware protection when not connecting to the company networkMalware protection using FEP FEP Deployment and Management using SSCMDirect Access with Unified Access Gateway (UAG)

Information Protection Solution Protecting data-in-motion with Exchange 2010 and AD RMSProtecting data-at-rest with SharePoint 2007, AD FS and AD RMSProtection data-at-rest with File Classification Infrastructure (FCI) and AD RMS

Identity and Access Management Solution

Group management with FIM 2010 and OutlookSelf-service password reset with FIM 2010

Links & Resources

Forefront Site http://www.microsoft.com/forefront/

Forefront on TechNet Library http://technet.microsoft.com/en-us/library/ff684056.aspx

Forefront Videos on TechNet Edge

http://technet.microsoft.com/en-us/edge/ff832960.aspx?category=Forefront

FOPE/Exchange documentation says What this means in layman’s terms

“Outbound Smart Host” Route outbound mail through a DLP device

“Regulated partner with forced TLS” Forced TLS

“Inbound safe listing“ Bypass spam filtering for domains I trust

“Shared address space with on-premises relay” Coexistence: Customer’s MX record is pointed on-premises

“Shared Address Space with Cloud Relay” Coexistence: Customers’ MX record is pointed to the cloud (virtual domains method)

http://technet.microsoft.com/en-us/library/gg430178.aspxhttp://help.outlook.com/en-us/beta/Dd775210.aspx

Understanding Terminology

FOPE

Edge

Virus

Policy

Spam

EXCHANGE ONLINE

Mailboxes

INTERNET

• Mail is sent outbound• Virus scanning is performed by FPE on

Exchange Online servers• FOPE filters as outbound• FOPE delivers to Internet

Fully hosted: Inbound and Outbound

Contoso signs up for Exchange Online Exchange Online has provisioned tenant in FOPEMail sent to FOPEFOPE filters inbound mailVirus scanning is performed by FPE on Exchange Online serversMail is delivered to the recipient’s mailbox

InboundFrom: sales@fabrikam.comTo: Bill@contoso.com

OutboundFrom: Bill@contoso.comTo: sales@fabrikam.com

contoso.com

Mailboxes

On-Premises Exchange

Customer Mail Processing/Filtering

EXCHANGE ONLINE

Mailboxes

FOPE

Edge

Policy

Spam

INTERNET

Shared Address Space with On-Premises Relay Scenario (MX Points to FOPE) - Inbound

MX points to FOPE for spam processing, filtering, and scanningMail is routed to on-premises server, and if mailbox does not exist on-premises, mail is routed back to FOPEFOPE forwards mail to hosted mailboxVirus scanning is performed by FPE for Exchange Online mailboxes

InboundFrom: sales@fabrikam.comTo: Joe@contoso.com

service.contoso.com

contoso.com

Inbound FOPE Connector

Inbound Exchange Receive Connector

Outbound Exchange Send Connector

Virus*

Mailboxes

On-Premises Exchange

Customer Mail Processing/Filtering

EXCHANGE ONLINE

Mailboxes

FOPE

Edge

Policy

Spam

INTERNET

Shared Address Space with On-Premises Relay Scenario (MX Points to FOPE) - Outbound

Scanning by Forefront Protection for Exchange on Microsoft Exchange Online mail hubsDelivery to FOPE for scanningDelivered to on-premises Exchange serverCustom processing on premisesOutbound delivery to FOPEDelivery to Internet

OutboundFrom: Joe@contoso.comTo: sales@fabrikam.com

service.contoso.com

contoso.com

Outbound Exchange Send Connector

Outbound FOPE Connector

Inbound Exchange Receive Connector

Virus*

Mailboxes

On-Premises Exchange

Customer Mail Processing/Filtering

EXCHANGE ONLINE

Mailboxes

FOPE

Edge

Virus

Policy

Spam

Shared Address Space with On-Premises Relay Scenario (MX Points to FOPE) – Intra-Org

Hosted mailbox sends mail outboundDelivery to FOPE (virus scanning disabled by default; policy rules dependent on customer configuration)Delivery to on-premises mailbox

OutboundFrom: Joe@contoso.comTo: Bob@contoso.com

service.contoso.com

contoso.com

Outbound Exchange Send Connector

Outbound FOPE Connector

Inbound Exchange Receive Connector

Inbound FOPE Connector

Mailboxes

On-Premises

Customer Mail Processing/Filtering

EXCHANGE ONLINE

Mailboxes

FOPE

Edge

Policy

Spam

INTERNET

Shared Address Space with On-Premises Relay Scenario (MX Points to On-Premises) - Inbound

MX points to on premises for initial filteringCustom filtering, archival etc. done on-premisesCloud mail is re-directed to FOPE where it is filteredDelivered to Exchange OnlineVirus scanning is performed by FPE for Exchange Online mailboxes

InboundFrom: sales@fabrikam.comTo: Joe@contoso.com

service.contoso.com

contoso.com

Outbound Exchange Connector

Inbound FOPE Connector

Virus*

Mailboxes

On-Premises

Customer Mail Processing/Filtering

EXCHANGE ONLINE

Mailboxes

FOPE

Edge

Policy

Spam

INTERNET

Shared Address Space with On-Premises Relay Scenario (MX Points to On-Premises) - Outbound

Hosted mailbox sends mail outboundVirus scanning is performed by FPE for Exchange Online mailboxesFiltered by FOPE Delivered to on-premisesCustom processing on-premisesDelivery by on-premises

OutboundFrom: joe@contoso.comTo: sales@fabrikam.com

service.contoso.com

contoso.com

Outbound FOPE Connector

Inbound Exchange Connector

Virus*

EXCHANGE ONLINE

Mailboxes

FOPE

Edge

Virus

Policy

Spam

Mailboxes

On-Premises

Customer Mail Processing/Filtering

Shared Address Space with On-Premises Relay Scenario (MX Points to On-Premises) – Intra Org

MX points to on-premises for initial filteringCustom processing on-premisesDelivery to FOPE Filtering skippedDelivery to Exchange Online by FOPE

Intra OrgFrom: salesman@contoso.comTo: Joe@contoso.com

service.contoso.com

contoso.com

Outbound Exchange Connector

Inbound FOPE Connector

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.