3. email relay fpe


Published on

3. Email Relay Forefront Protection for Exchange Server
Seminario TMG e UAG presso Microsoft (Roma)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

3. email relay fpe

  1. 1. Secure Mail Relay
  2. 2. Protezione delle mail Full featured SMTP hygiene Exchange Edge Transport for SMTP stack Requires valid license Integrated with Microsoft® Forefront™ Protection 2010 for Exchange Server Antimalware Antispam Antiphishing Also supports generic SMTP mail servers
  3. 3. Vantaggi di una e-mail policy con Forefront TMG Protection on the edge saving processing resources, bandwidth, and storage Integrated management—When you create an e-mail policy using Forefront TMG, you configure the settings in the Forefront TMG Management console, and then Forefront TMG applies your configuration to Exchange Edge and FPES Extended management—Forefront TMG allows you to deploy multiple servers in an array, and manage those servers from a single interface. This is true for the e-mail protection feature, which is a benefit not available to other Exchange and FPES deployments Native support for Network Load Balancing (NLB)—Using NLB and a virtual IP address, you can deploy more Forefront TMG servers at a single point of entry, thereby processing more mail traffic
  4. 4. Funzionalità Protection at the edge Protects mail at the edge of the organization with Forefront Protection 2010 for Exchange Server Advanced protection and premium antispam Multiple scan engines to protect against malware and provide a premium antispam solution Integrated management Easy management of Microsoft Exchange Server Edge role and Forefront Protection 2010 for Exchange Server through Forefront TMG Array deployment Support for managing and load balancing traffic among multiple servers
  5. 5. Forefront Protection for Exchange e Mail Flow FPE effettua le verifiche a livello edge a applica uno «stample» Ricezione mail da client esterno Passaggio da Edge a Hub attraverso il firewall Ulteriore verifica delle regole Applicazione regole firewall Se è presente FPE sull’hub, si attiva Verifica stample AV e solo in mancanza di uno stample anti-malware
  6. 6. Forefront Protection e Ruoli ExchangeFPE can be implemented on a single role machine or on a machine that includes three rolesThe configuration options that FPE allows you to implement will vary according to therole for which it was implementedFPE does not support installations on a CAS-only role because there is no workload toprotectNOTE If you have configuration file to anyou can install and configure FPE on a single To export the multiple Exchange servers, .xml file Export-FseSettings -path c:ConfigSettingsExport.xmlExchange server and later export and import the configuration settings to your otherExchange servers. However, you must install FPE on each separate server before you can To export all extended optionsmport the configuration settings Get-FseExtendedOption -name * >> c:ConfigSettingsExtended.txt
  7. 7. Forefront Protection e Ruoli Exchange
  8. 8. Forefront Protection Processing Decision The source analysis performs various tests, such as determining whether the source IP is allowed or if it belongs to a block list In the protocol analysis, another set of tests , such as atest to determine whether the sender is listed as allowed or blocked, is performedNext, the content analysis will determine whether there is any anomaly on the email body that matches any configured policies The user also has a direct influence on the message’sacceptance, based on the local rules created in Outlook
  9. 9. Interfaccia di amministrazione centralizzata 9
  10. 10. Le componenti
  11. 11. Le componentiMicrosoft Products Forefront Protection 2010 for Exchange Server Microsoft® Exchange Server® 2007 (or 2010) Edge Transport Forefront Threat Management Gateway Windows Server® 2008 x64 11
  12. 12. FunzionalitàFeature Exchange FPE 2010 Filter Edge RoleIP Allow / Block Lists   Connection FilterIP Allow / Block List Providers   (FF (custom) DNSBL)Sender / Recipient Filtering, Sender   ProtocolID FilterSender Reputation  Content FilterBasic Content Filtering (SmartScreen) Premium Antispam (Cloudmark) File Filtering Message Body Filtering Antivirus TMG Antispyware Subject Line, Sender-Domain, or Allowed Senders in FPEForefront and cannot manage 
  13. 13. Configurazione della protezione SMTP
  14. 14. Installazione In each member of the Forefront TMG array: Install Active Directory® Lightweight Directory Services (AD LDS) Install Exchange Server 2007 SP1 (or 2010) Edge Transport role Install Forefront Protection 2010 for Exchange Server Install Forefront Threat Management Gateway 2010 14
  15. 15. Dettaglio : Installazione Edge Transport Server• Install the prerequisite software : open Scripts directory on the installation media and enter the following commandServerManagerCmd.exe –InputPath Exchange-Edge.XML• Install the Edge Transport Server• Configure the EdgeSync Service : open an Exchange Management Shell and enter the following commandNew-EdgeSubscription –FileName C:Edge-TMG.XML• Copy the Edge-TMG.XML file to the internal Hub Transport Server and import it there : open an Exchange Management Shell and enter the following commands:$Temp = Get-Content -Path "C:Edge-TMG.xml" -Encoding Byte -ReadCount 0New-EdgeSubscription -FileData $Temp -Site "Default-First-Site"Start-EdgeSynchronization 15
  16. 16. Dettaglio : Installazione Forefront Protection for Exchange Choosing to Enable Antispam now will disable Exchange’s content filtering agent, if it is currently enabled. Uninstalling FPE will not re-enable Exchange’s content filtering agent; re-enabling the filtering agent must be done manually 16
  17. 17. Configurazione Run e-mail policy wizard Configure SMTP routes Configure spam filtering Configure virus and content filtering Enable and configure EdgeSync 17
  18. 18. E-Mail Policy Wizard Impostare il server interno e i domini per cui si è autoritativi lmost every options are configured for you without additional configuration , all but content filtering do not go below 6 in content filtering or most the emails will blocked
  19. 19. Nota : eccezioni alla HTTPs inspection
  20. 20. Creazione di SMTP Routes Defines how Forefront TMG routes traffic from and to the organization SMTP servers At least two routes required: Internal_Mail_Servers define the IP addresses and SMTP domains of the internal mail servers External_Mail_Servers define which mail is allowed to enter the organization and the external FQDN/IP address that will receive mail Each SMTP route has an e-mail listener which responds to mail requests from permitted IP addresses and networks.
  21. 21. Creazione di route Anti-virus Engines Forefront Security for Exchange (FSE) Multi-layer Filters Multi-layer Filters Exchange Edge Role Receive Connector Send Connector Network Inspection System (NIS) TMG Filter Driver External Network Internal Network ``
  22. 22. Spam Filtering The anti-spam solution on FPE is composed of four major detection pillars: Source Protocol Content Client analysis To configure these options, under the Antispam option, click Configure. You can run the Windows PowerShell command Set- FseSpamFiltering -enabled $true on the Forefront Management Shell to enable the Antispam feature. This process requires you to restart the Microsoft Exchange Transport service. Another way to enable the Antispam feature is by clicking Enable Antispam Filtering
  23. 23. Configurazione di Spam Filtering Defines spam filtering policy Connection-level filtering IP Allow List IP Allow List Providers IP Block List Block List Providers Protocol-level filtering Configuring Recipient Filtering Configuring Sender Filtering Configuring Sender ID Configuring Sender Reputation Content-level filtering
  24. 24. Spam FilteringConnection-level Filtering 24
  25. 25. Spam Filtering - IP Allow List The IP Allow List allows you to add one or more IP addresses that are considered trusted and should always be allowed to send e-mail . You can use this option for example in a scenario where you have partners that you want to categorize them as source trust of e-mails and therefore allow them to send e-mail without passing through the normal SMTP filters . This feature is enabled by default on the Spam Filtering tab
  26. 26. Spam Filtering - Ip Allow List Providers You can use the IP Allow List Providers dialog box to maintain a list of IP addresses that are known to not be associated with any type of spam activity The IP Allow List Providers feature is also referred to as safe list services This feature is enabled by default on the Spam Filtering tab,
  27. 27. Spam Filtering - Ip Block List In contrast with the IP Allow List, the IP Block List allows you to add one or more IP that should never be allowed to establish an SMTP connection with TMG You want to block this IP during the connect phase (the initial attempt to establish the SMTP connection)
  28. 28. Spam Filtering - Ip Block List provider You have the capability to add the providers that are known (or suspected) to send spam This option is enabled by default and you can change the status in the Status drop-down box
  29. 29. Spam FilteringProtocol-level Filtering 29
  30. 30. Spam Filtering - Recipient Filtering In the Recipient Filtering dialog box, you can specify a list of e-mail addresses or a distribution list that would like to receive e-mails from outside your organization It is very common within an organization to have some distribution lists that are used regularly and those you might want to prevent receiving e-mail from Internet .
  31. 31. Spam Filtering - Sender Filtering If you learn of a specific e-mail address that is sending lots of spam to your organization and you want to block that source e-mail address from sending messages, you can use the Sender Filtering feature1. Click the Block Senders tab and notice that by default thereis already a filter to block2. Click Add, and then add the e-mail address3. Click OK . Click Add again and then specify the domain that you want to block4. 5. Click the Action tab to specify the action to be taken when a message contains one of the senders specified in the Block Senders list
  32. 32. Spam Filtering - Sender ID The Sender ID feature works by verifying that the source of the message is the organization it claims to be . Sender ID checks the IP address of the sending server against a registered list of servers that the domain owner has authorized to send e-mail .
  33. 33. Spam FilteringContent-level Filtering
  34. 34. Spam Filtering - Content-level Filtering Delete Messages That Exchange Edge Transport Server (installed on the TMG computer) accepts and then deletes the Have A SCL Rating message Greater Than Or Equal To The message is deleted and the sending server is not Because the sending server understands that the message was accepted, the sending server notified of the doesn’t retry sending the message in the same session message deletion Reject Messages That This option rejects the message by sending one of several SMTP negative responses to the Have A SCL Rating sending server Greater Than Or Equal To Quarantine Messages When using this option you need to specify a mailbox to hold the quarantined e-mail . You That Have A SCL must have the mailbox account already created prior to configuring this option . In other Rating Greater Than Or words, this option does not create a mailbox for quarantine—it can only use an existing Equal To mailbox The numbers that are configured besides each of those option have a range from 0 to 9, where 9 indicates that the e-mail is very likely to be spam and 0 indicates that the e-mail is least likely to be spam . Notice that by default all options are dimmed, but if you select any of those check boxes the option will be enabled . For this example leave all these settings at their default values and click OK to close the dialog box
  35. 35. Virus and Content Filtering Configures antivirus, file attachment, and message body filtering Virus filter – Engine selection policy and remediation actions File filters – Unwanted file attachments based on file type, filename, and prefix Message body filters – Identify unwanted e-mail messages by applying keyword lists to the contents of the message body
  36. 36. Virus and Content Filtering
  37. 37. Virus and Content Filtering - Configuration On the Engines tab you can select up to five engines that will be used for transport scanning (inbound and outbound messages You can also select how the engines will be used to scan the messages by selecting one of the following options: Always Scan With All Selected Engines Using this option Forefront Protection 2010 for Exchange Server queues messages for scanning if any of the selected engines becomes busy, such as during signature updates or heavy e-mail traffic times . Scan With The Subset Of Selected Engines Which Are Available This option scans using all selected engines . Scans alternate between engines when one of the selected engines is busy . Scan With A Dynamically Chosen Subset Of Selected Engines Using this option Forefront Protection 2010 for Exchange Server heuristically chooses from the selected engines, based on recent results and statistical projections Scan With Only One Of The Selected Engines Using this option only one of the selected engines listed in this dialog box is used to scan any single objectNote When selecting multiple engines it is important to consider performance andsizing of the server. CpU utilization can increase 20 to 40 percent depending on biasand engines.