Microsoft Forefront - Online Security For Exchange Whitepaper


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Microsoft Forefront - Online Security For Exchange Whitepaper

  1. 1. Service Description for <br />Version 9.0<br />Published April2009<br />Abstract<br />Microsoft® offers fully hosted managed services that provide e-mail protection and message management to enterprises worldwide. Microsoft® Forefront™ Online Security for Exchange runs on a globally distributed network of data centers through which it provides managed antispam, antivirus, and policy enforcement services to help create a secure, protected, and compliant message stream. This technical overview provides information on the Microsoft Microsoft Forefront Online Security for Exchange service along with the administrative controls and reporting capabilities that are built into the hosted service system.<br />This document contains sensitive confidential and proprietary information and intellectual property of Microsoft. Review, use, and reproduction is only permitted by you solely as necessary for the purposes for which it was given to you, and solely subject to the terms of your non-disclosure agreement with Microsoft. No further distribution to third parties is permitted.<br />The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication and is subject to change at any time without notice to you. This document and its contents are provided AS IS without warranty of any kind, and should not be interpreted as an offer or commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.<br />The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers.<br />All trademarks are the property of their respective companies.<br />©2009 Microsoft Corporation. All rights reserved.<br />Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.<br />The names of actual companies and products mentioned herein may be the trademarks of their respective owners.<br />Contents<br /> TOC o " 1-3" h z u Introduction PAGEREF _Toc226196457 h 4<br />Global Network PAGEREF _Toc226196458 h 4<br />Filtering Service PAGEREF _Toc226196459 h 5<br />Service Level Agreements PAGEREF _Toc226196460 h 6<br />Antivirus PAGEREF _Toc226196461 h 6<br />Forefront Online Security for Exchange Antispam PAGEREF _Toc226196462 h 7<br />Layered Defenses Against Junk E-mail PAGEREF _Toc226196463 h 7<br />Accuracy and Effectiveness PAGEREF _Toc226196464 h 9<br />Spam Quarantine PAGEREF _Toc226196465 h 10<br />Policy Enforcement PAGEREF _Toc226196466 h 11<br />Message Handling PAGEREF _Toc226196467 h 12<br />Directory-Based Edge Blocking PAGEREF _Toc226196468 h 13<br />Directory Synchronization Tool for Directory Services Automation PAGEREF _Toc226196469 h 14<br />Disaster Recovery PAGEREF _Toc226196470 h 15<br />Service Experience PAGEREF _Toc226196471 h 15<br />Deployment PAGEREF _Toc226196472 h 15<br />Administration PAGEREF _Toc226196473 h 16<br />Reporting and Analytics PAGEREF _Toc226196474 h 16<br />Message Trace PAGEREF _Toc226196475 h 18<br />Audit Trail PAGEREF _Toc226196476 h 19<br />Customer Support PAGEREF _Toc226196477 h 20<br />Related Links PAGEREF _Toc226196478 h 21<br />Introduction<br />E-mail abuse can overwhelm businesses and destroy the benefits of e-mail as a vital communication tool. Microsoft® Forefront™ Online Security for Exchange is a hosted service for inbound and outbound e-mail that can help provide organizations with a frontline defense against e-mail-borne malware. It is a fully hosted solution that provides messaging protection and management services to enterprises worldwide and gives e-mail administrators an effective way to enforce policy on e-mail use. By using multiple layers of technology between the Internet and corporate networks, Forefront Online Security for Exchange manages the inbound and outbound flow of e-mail passing through e-mail gateways, and it helps guard networks and corporate e-mail systems against attacks by viruses, spam, and other malicious content. It delivers a hands-free e-mail security experience to customers, which can help simplify the management of an e-mail environment and alleviate the burdens of software and hardware maintenance with an enterprise-class service that offers active protection by continuously updating virus definitions and spam detection technologies.<br />Global Network<br />Microsoft Forefront Online Security for Exchange is powered by a global network of data centers based on a fault-tolerant and redundant architecture and is load-balanced both site-to-site and internally within each data center. Figure 1 shows the physical location of the data centers that make up the global network. If a data center is suddenly unavailable, traffic is automatically routed to another data center without any interruption to service. Thousands of e-mail servers across the network of data centers accept e-mail on the customers’ behalf, providing a layer of separation between their servers and the Internet. Furthermore, Microsoft algorithms analyze and route message traffic between data centers to ensure the most timely and efficient delivery. With this highly available network, Microsoft provides 99.999 percent uptime through service level agreements and has delivered historical uptime of 100 percent. This approach, built on a distributed server and software model, has proven successful in helping to protect customers’ fragile corporate networks and e-mail servers from common threats, such as dangerous worms, denial-of-service assaults, directory harvest and dictionary attacks, and other forms of e-mail abuse.<br />Figure 1: Microsoft Exchange Hosted Services global network<br />All messages processed by Forefront Online Security for Exchange are encrypted using Transport Layer Security (TLS). To help ensure privacy and message integrity, the service will attempt to send and receive e-mail using TLS but will automatically rollover to SMTP if the sending or destination e-mail server is not configured to use TLS. <br />Filtering Service<br />To provide effective message security for corporate networks, Forefront Online Security for Exchange offers five services that apply a unique blend of preventive and protective measures to stop increasingly complex e-mail–borne threats from infiltrating businesses and violations of corporate policy on e-mail use. The services are as follows:<br />Antivirus: Helps protect businesses from receiving e-mail–borne viruses and other malicious code by using multiple antivirus engines and heuristic detection to minimize the window of vulnerability during emerging threats.<br />Antispam: By layering antispam technologies, the antispam filter can detect all types of spam before they reach the corporate network.<br />Policy Enforcement: Provides administrators with the ability to craft highly flexible policy rules to regulate e-mail flow for compliance.<br />Directory Services: Allows organizations to specify all valid users on a domain or to configure different filtering settings for groups of users within a domain.<br />Disaster Recovery: Helps ensure that no e-mail is lost by instantly and automatically queuing messages for later delivery if the destination e-mail server is unavailable.<br />Figure 2: Integrated E-mail Security and Filtering Solution with Forefront Online Security for Exchange <br />Developed as a family, these services easily integrate with one another as a package and require little to no user-tuning to be effective. “Out of the box,” Forefront Online Security for Exchange blocks more than 98 percent of unwanted e-mail and 100 percent of known viruses, reducing message traffic and improving the efficiency of the corporate messaging infrastructure. Additionally, no white lists need to be uploaded or maintained to achieve this level of accuracy. Network performance and spam/virus filtering effectiveness of the Online Security for Exchange service are backed by Service Level Agreements (SLAs). <br />Service Level Agreements <br />Microsoft Forefront Online Security for Exchange provides comprehensive Service Level Agreements (SLAs) backing network performance and spam and virus filtering effectiveness. The SLAs include:<br />Filtering network infrastructure<br />Network uptime: 99.999%<br />Email delivery: Average delivery commitment of less than 1 minute<br />Filtering accuracy<br />Virus Blocking: 100% protection against all known email viruses<br />Spam Capture: Capture of at least 98% of all inbound spam emails<br />False Positive Ratio: False positive commitment of less than 1 in 250,000 emails<br />The following sections provide an overview of each service and how it works to help secure your organization’s corporate messaging network.<br />Antivirus<br />Modern viruses, worms, and other forms of malware pose significant risk to organizations such as yours and can spread at lightning speeds. According to some reports, the faster threats can reproduce at a rate of tens of thousands of copies an hour. At this rate, there is almost no time to update desktop and gateway antivirus systems to ensure that corporate networks and systems are protected. <br />Layered Defenses Against Viruses<br />Blocking viruses before they reach the corporate network significantly reduces risk of infection, and have the added benefit of increasing the resources available for your corporate use. Because stopping viruses is very time-critical, Forefront Online Security for Exchange employs a layered approach to offer protection from both known and unknown threats for both inbound and outbound e-mail. Taking advantage of partnerships with numerous best-of-breed providers of antivirus technologies, Online Security for Exchange uses multiple antivirus engines to help protect against viruses and other e-mail threats. The antivirus engines include powerful heuristic detection to provide protection even during the early stages of a virus outbreak. The multi-engine approach has been shown to provide significantly more protection than using just one antivirus engine.<br />Real-time Threat Response<br />In some virus outbreaks, the EHS anti-malware team will have enough information about the virus or other form of malware to write sophisticated policy rules that detect the threat even before a signature is available from any of the antivirus engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.<br />Fast Antivirus Signature Deployment<br />The service enjoys close developer relationships with its antivirus partners, integrating each antivirus engine at the API level. As a result, it receives and integrates virus signatures and patches before they are publicly released, often working directly with the antivirus partners to develop virus remedies. The service checks for updated virus signatures for all antivirus engines every 15 minutes and applies them in minutes to the global filtering network.<br />Forefront Online Security for Exchange Antispam<br />Left unchecked, the scourge of spam can overwhelm businesses, destroying e-mail productivity and the benefits of this vital business communication tool. The sheer volume, coupled with spammer creativity, leaves businesses with no option but to turn to technology to combat this ever-present threat.<br />Forefront Online Security for Exchange defines an electronic message as spam if all of the following apply:<br />The recipient’s personal identity and context are irrelevant because the message is equally applicable to many other potential recipients.<br />The recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent.<br />The transmission and reception of the message appears to give a disproportionate benefit to the sender. <br />Layered Defenses Against Junk E-mail<br />Microsoft Forefront Online Security for Exchange achieves enhanced accuracy with proprietary, multilayer spam technology that helps ensure unsolicited e-mail and is automatically filtered before it enters your corporate messaging systems. There is no work or intervention needed by your users or IT administrators to incorporate the antispam technology. This technology is applied at the domain level or subdomain level (for example, XYZ.COM, US.XYZ.COM, and UK.XYZ.COM).<br />IP Reputation Blocking<br />Online Security for Exchange IP reputation blocking serves as the first line of defense against unwanted e-mail and blocks roughly 90% of inbound junk e-mail through connection analysis and reputation analysis.<br />Connection Analysis<br />Each connection to the Exchange Hosted Services network is monitored closely and evaluated based on the SMTP commands issued by the connecting server. Nonstandard connection requests that deviate significantly from RFC standards and spoofed connection attempts are immediately dropped, thereby helping to shield your networks from these invalid connection attempts.<br />Reputation Analysis<br />Forefront Online Security for Exchange reputation-based connection blocking employs a proprietary list that, based on analysis and historical perspective, contains the addresses of the most egregious spamming machines on the Internet. Through an ongoing partnership with Microsoft Windows Live Mail, Forefront Online Security for Exchange aggregates both consumer and corporate junk e-mail data to populate a massive and comprehensive reputation database. Online Security for Exchange also utilizes IP reputation information from third party companies and ISP’s in order to provide enhanced protection from spammy IP’s and botnet attacks. Spammers are frequently creating malicious web sites which they use for phishing and infecting malware; EHS leverages a variety of sources to quickly update lists of known malicious URL’s and update its content filters to block these messages. <br />Junk E-mail Protection<br />Once a message passes the edge blocking, it must then pass four additional layers of antispam technology: Additional Spam Filtering options (ASF), IP-based authentication, fingerprinting, probabilistic-based content filtering and rules-based scoring.<br />Additional Spam Filtering Options<br />Many customers want more control over e-mail that may affect privacy, contain obscene graphics, or attempt to trick users into disclosing sensitive information. Using filtering flags, ASFgives your IT administrators the ability to quarantine messages that contain various kinds of active or suspicious content. ASF filtering flags include:<br />Empty messages<br />JavaScript or VBScript in HTML<br />Frame or iFrame tags in HTML<br />Object tags in HTML<br />Embed tags in HTML<br />Form tags in HTML<br />Web Bugs in HTML<br />SPF record hard failure<br />From address authentication failure<br />Sensitive word list<br />Image links to remote sites<br />Numeric IP in URL<br />URL redirect to another port<br />URL to .biz or .info Web sites<br />Blocking all NDR’s for non-outbound customers<br />Normally, antispam systems use rules-based scoring (see below) to add these e-mail characteristics to an overall score, making them more likely to result in a message being considered spam. However, using the ASF service, your administrator can explicitly select one of these characteristics as a filtering flag so that all mail with that characteristic will be quarantined, even if it is legitimate. Each ASF filter can be engaged in “test” mode to measure effectiveness before going “live.”<br />IP-based Authentication<br />Forefront Online Security for Exchange authenticates the identity of the sender of each e-mail. If a message cannot be authenticated and is determined to be from a spoofed sender, the message is more likely to be scored as spam. The service uses Sender Policy Framework (SPF) which is an industry standard that fights return-path address forgery by using SMTP Mail From identity in e-mail, making it easier to identify spoofs. SPF lookups help verify that the entity listed as the sender did indeed send the e-mail.<br />Fingerprinting <br />When messages contain known spam characteristics, they are identified and “fingerprinted”; that is, they are given a unique ID based on their content. The fingerprinting database aggregates data from all spam blocked by the Forefront Online Security for Exchange system, which allows the fingerprinting process to become more intelligent and refined as more mail is processed. If a message with a particular fingerprint passes through the system again, the fingerprint is detected and the message is marked as spam. The system continually analyzes incoming messages to determine new spamming methods (such as base64-encoded spam). The Online Security for Exchange spam analysis team updates the fingerprint layer ad hoc as new campaigns are detected.<br />Non-Delivery Report Backscatter Mitigation<br />There are a number of causes for a surge in non-delivery reports (NDRs) that may impact an e-mail environment.  For example, one of the e-mail addresses for a domain may be affected by a spoofing campaign or be the source address for a directory harvest attack.  Any of these issues could result in a sudden increase in the number NDRs being delivered to end users. NDR backscatter has become a serious issue for many customers.  This option will filter out NDR messages and send them to the Quarantine. <br />For outbound filtering customers, there is logic that that helps detect NDRs that are legitimate bounce messages and delivers those to the original sender without enabling the ASF option. For outbound customers, intelligent detection of legitimate NDR’s is enabled by default. <br />Rules-based Scoring<br />Based on more than 20,000 rules that embody and define characteristics of spam and legitimate e-mail, scores are assigned to messages. Points are added to the score if a message contains characteristics of spam; points are subtracted if it contains characteristics of legitimate e-mail. When a message’s score reaches a defined threshold, it is flagged as spam. Message characteristics that Online Security for Exchange evaluates and scores include: <br />Phrases in the body and subject of the message including URLs<br />HTTP obfuscation<br />Malformed headers<br />E-mail client type<br />Formation of headers (i.e., Message-ID, Received, random characters)<br />Originating mail server<br />Originating mail agent<br />From and SMTP From address<br />The current rules are modified and new rules are added as needed many times a day, every day, by the spam team.<br />Outbound Spam Filtering<br />All outbound messages that exceed the spam threshold are delivered through a Higher Risk Delivery Pool. The Higher Risk Delivery Pool is a secondary outbound e-mail pool that is used to send messages that may be of lower quality, helping to protect the rest of the network from sending messages that are more likely to result in the sending IP address being blocked.  <br />The use of a dedicated Higher Risk Delivery Pool helps ensure that the normal outbound pool is only sending e-mail that is known to be high-quality. The possibility of the Higher Risk Delivery Pool being placed on a third-party block list remains a risk (and is by design). However, having this secondary server pool helps to reduce the probability of the normal outbound server pool being added to a third-party block list.<br />In addition, some third-party e-mail filtering agents will throttle mail where the sending domain has no A record and no MX record in DNS.  Such outbound mail, regardless of its spam disposition, is routed through the Higher Risk Delivery Pool.<br />Accuracy and Effectiveness<br />Ineffective spam filters frustrate users and expose companies to infection and loss. Forefront Online Security for Exchange simultaneously delivers high accuracy and effectiveness by both identifying spam and keeping it from reaching customer mailboxes. Customers can therefore preserve the integrity of their e-mail environment and communications, boosting productivity and improving total cost of ownership for their corporate e-mail systems.<br />Accuracy<br />A false positive is a legitimate message that is incorrectly identified as spam. These can be either bulk messages such as newsletters, person-to-person legitimate business communication or personal e-mail. Through extensive monitoring, Online Security for Exchange has found that the false positive ratio is better than approximately 1 in 250,000 (0.0004 percent).<br /> <br />Your users and administrators can report e-mail abuse by submitting messages to the abuse e-mail alias. The spam analysis team examines the submitted messages and tunes the filters accordingly to prevent future occurrences. As a result, the service is constantly updating and refining the spam prevention and protection processes. Any submitted items are evaluated at the network-wide level. False positive submissions are examined and assessed for possible rule adjustment to allow future messages through the spam filters. Therefore, notifying the service of false positives and unfiltered spam is advantageous for you and all customers utilizing the Forefront Online Security for Exchange Global Network.<br />Effectiveness<br />Without tuning, the Forefront Online Security for Exchange solution can block 98 percent of spam. However, adding the ASF capability can allow your organization to further customize spam filtering according to your needs which may increase effectiveness. <br />What Happens to Detected Junk E-mail?<br />Once a message is recognized as spam, it is addressed in one of four ways, depending on the settings for the domain:<br />Tagged with an X-header<br />Tagged through subject line modification (such as inserting “<SPAM>”)<br />Redirected to a SMTP mailbox <br />Quarantined and stored for customer or end-user review<br />Spam Quarantine<br />Most customers choose to quarantine messages identified as spam. Microsoft Forefront Online Security for Exchange stores quarantined messages for 15 days and then automatically deletes them. During that 15-day window, individual users can review quarantined messages and retrieve improperly blocked messages using a Web-based tool for managing spam in individual accounts. From within this e-mail summary, users can review messages instantly. If they have authorization, all your IT administrators can view quarantined e-mail. Administrators can limit quarantine review to only administrators as well.<br />Reviewing Spam in Quarantine<br />Forefront Online Security for Exchange provides a Web-based interface for individuals to view spam addressed to their e-mail accounts. With this interface, users can recover (or salvage) spam they might want to read, as well as report false positives. <br />Your organization’s administrator can enable user reminders which are notifications that remind users to check their Spam Quarantine accounts to review the quarantined spam for their e-mail address. Users can receive either of the following reminders:<br />Text notification: A text e-mail that includes a URL and brief instructions on how to login and view spam.<br />HTML: An e-mail with an HTML interface that gives users a snapshot of the new spam messages delivered to their spam quarantine mailboxes since either their last notification or the last time they logged into their Spam Quarantine accounts. Unlike the text e-mail, users can directly manage messages from within this HTML notification e-mail without logging in to their accounts.<br />Figure 3: Spam Quarantine <br />Policy Enforcement<br />The fourth service that Online Security for Exchange offers in its integrated approach to message security is policy enforcement. It allows companies to automatically monitor outbound and inbound e-mail, and stop sensitive and inappropriate messages from leaving and entering the corporate network. Administrators put into effect custom policy rules that include one or more of the following attributes:<br />Words and phrases in the subject and body<br />Message size<br />Attachment types<br />Number of recipients<br />Sender and recipient addresses and domains<br />IP address or domain name<br />Administrators define and edit attribute and policy rules with an easy-to-use interface in the Admin Center, where they specify the type of rule and message rule parameters. They can also indicate when a rule is to expire, if at all. Administrators can also create text or HTML outbound e-mail disclaimers or footers, with a different disclaimer per domain if needed. <br />Policy enforcement can be an important and effective tool in reducing vulnerability to viruses by filtering specific kinds of attachments and e-mail based on known virus characteristics. For example, by taking advantage of the functionality of policy enforcement together with Directory Services to provide select access to executable content by small user populations, a company can eliminate risk for 98 percent of its users.<br />Figure 4: The Admin Center policy rule writing interface<br />Message Handling<br />Administrators have multiple options for handling e-mail that is flagged by a policy rule. Should a message be flagged by a rule, options for handling that message include:<br />Reject message<br />Allow message<br />Quarantine message for review<br />Redirect message to an alternate recipient or mailbox<br />Deliver message with BCC<br />Force TLS<br />Encrypt message (requires Exchange Hosted Encryption)<br />Once policy rules have been put into effect, messages that trigger a rule are handled according to the rule specifications. If your administrators choose to quarantine messages for review, Online Security for Exchange provides the option to let either users or administrators review and release quarantined items at their discretion. <br />Online Security for Exchange also includes standard bounce options. Once an e-mail is rejected for not complying with content and policy rules, administrators can set up separate custom bounce messages for the sender, recipient, and administrator.<br />The service also allows your administrators to set your Inbound Policy Allow rules to safe list an IP address, even if it is listed on the Reputation Block Lists (RBLs) that are used by the service. Multiple IP addresses can be added to a single Policy Allow rule as long as the IP addresses are separated by commas. IP address ranges or Classless Inter-Domain Routing (CIDR) formatted IP ranges are not supported for this feature.<br />Directory-Based Edge Blocking <br />Forefront Online Security for Exchange Directory-Based Edge Blocking is a multifunctional service that improves message handling and routing for inbound message traffic. By specifying who can accept e-mail and defining delivery groups, customers use the Directory Services preemptive filter for messages, thereby improving the efficiency of their e-mail infrastructure. Directory Services provides the administrator with the ability to upload a user list, by domain, in the Admin Center. Incoming e-mail is then compared to the domain user list and processed depending on the functionality chosen by the administrator. By default, Forefront Online Security for Exchange accepts mail for any SMTP address within a domain for which mail is processed. But with an uploaded user list, Online Security for Exchange filters accordingly. Features for Directory Services include message reject, pass through, reject test, group filtering, and intelligent routing:<br />Message Reject<br />This highly-recommended functionality rejects all e-mail (spam and legitimate mail) at the network perimeter for recipients not on the domain’s user list. Therefore, if a message is received for a recipient that is included on the user list, the message is processed according to the domain’s settings. If, however, a message is received for a recipient who is not included on the user list, then Forefront Online Security for Exchange responds with a 554 error message. <br />Pass Through <br />Administrators can define a subset of users who are “opted in” for service evaluation purposes, while all others by default are “opted out” of all filtering services, even if all users share the same domain. Therefore, if a message is received for someone whose name is included on the user list (that is, the end user is “opted in”), the message is processed according to the domain’s settings. If, however, a message is received for someone not on the user list (that is, the end user is “opted out”), the message bypasses the Message Switch and any filtering settings and is delivered to the corporate mail server directly.<br />Reject Test<br />To be used for short periods of time, this function validates the accuracy of a user list. All e-mail for recipients not on a domain’s user list is redirected to a specific e-mail address after filtering. Therefore, if a message is received for a recipient on the user list, the message is processed according to the domain’s settings. If, however, a message is received for someone not on the user list, that message is processed according to the domain’s settings and delivered to the last e-mail address listed for the domain. <br />Group Filtering<br />This function provides the ability for different groups of users to have their own set of filtering rules, even if all users share the same domain. (For example, the HR department can have different filtering rules than the IT department.) Each user included in the user list upload is associated with a group name. An administrator then creates a virtual domain and configures it for each group name in the user list.<br />Intelligent Routing<br />A function of Group Filtering, this feature routes SMTP addresses to specific delivery locations based on group name and association, even if users all share the same domain. For example, the U.K. office can receive all mail for U.K. users at a specific location, one that is different than the destination for mail sent to U.S. users. As in Group Filtering, each user is associated with a group, and each group is associated with a virtual domain. Each virtual domain is then configured to redirect e-mail to specific servers within the organization.<br />Key translation servers or active trust brokering servers are required to interconnect one enterprise’s trusted servers with another. This can be prohibitively expensive and may also require establishing a trusted third-party intermediary.<br />Directory Synchronization Tool for Directory Services Automation<br />The Directory Synchronization Tool is an optional, light weight application installed on the customer’s server that simplifies the experience for both administrators and end users. Once installed and configured, the tool connects to Microsoft Active Directory and shares valuable e-mail-related information with Directory Services. <br />One function of the tool is the collection of all valid email addresses from the corporate directory and sharing of these addresses with Forefront Online Security for Exchange, which creates a Directory Services reject list based on these e-mail addresses. E-mail sent to recipients not on the Directory Services list is rejected by Forefront Online Security for Exchange with a 554 error. Administrators can review the Spam and Submissions Report available from the Reports section of the Admin Center to see how much junk e-mail has been rejected by Directory Services. <br />Another function of the tool is the collection and sharing of safe-senders as defined by end users. Using this feature helps to even further reduce the possibility of false positives and ensure negligible impact to legitimate e-mail communication. This feature requires Exchange Server 2007, which stores safe-sender information in Active Directory, and Microsoft Outlook 2003 or higher.<br />The following image details the components of the directory synchronization process and how it integrates with Directory Services.<br />Figure 5: Flow and component details of the Directory Synchronization Tool<br />In this example, the Directory Synchronization Tool is installed in the customer’s network on the company’s Microsoft® Exchange Server, which has access to Active Directory. The tool provides a user interface in which the administrator specifies the domains for which e-mail addresses will be synchronized and how often synchronization should take place. The synchronization service reads the configuration file (XML file) at the interval specified, retrieves all SMTP addresses from Active Directory for the specified domains, and sends the list to Online Security for Exchange via SSL. Transfer of the address list is contingent upon successful authentication, which uses the same administrative credentials used to log into the Admin Center. A web service running on the hosted network accepts the list and feeds the data to the Directory Services infrastructure, which distributes the list to the FOSE data center network every 15 minutes.<br />Disaster Recovery<br />If a customer’s e-mail server(s) becomes unavailable for any reason, Forefront Online Security for Exchange helps ensure that no e-mail is lost or bounced. Forefront Online Security for Exchange servers spool and queue e-mail for up to five days. Once the e-mail server is restored, all queued e-mail is automatically forwarded in a “flow-controlled” fashion. In cases of extended downtime, e-mail can be rerouted to another server or made available through a Web-based interface.<br />The system can be set up to provide deferral notification in the event that e-mail cannot be delivered to the customer’s site, sending a text-based page to an administrator if e-mail is unable to be delivered. <br />Service Experience<br />In addition to the benefits of using a hosted e-mail filtering solution, Forefront Online Security for Exchange is simple to deploy, easy to configure, and backed by experienced support for all customers. The service, by default, is highly accurate and requires little tuning or optimization by the administrators for organizations to enhance protection from spam and viruses. Administrators who want to customize the filtering settings for their organizations will find the Web-based administration console to be flexible, intuitive and to accommodate most filtering preferences. Friendly and knowledgeable implementation project managers and around-the-clock technical support staff are available to assist in answering questions and helping with configuration settings.<br />Deployment<br />Forefront Online Security for Exchange offers great ease of implementation. There is no need for enterprises to change or modify their existing e-mail infrastructure, or to install and maintain any new hardware or software. With a simple configuration change to their DNS, customers can begin using hosted filtering services right away—in some cases, in less than an hour. There is no hardware to provision; no software to buy, install, or configure; and no expensive training required for IT staff or the end users.<br />Forefront Online Security for Exchange requires only one mail exchange record, which resolves to the Forefront Online Security for Exchange network, allowing the IP address of the corporate e-mail server to remain hidden from DNS lookups. Customers become invisible to malicious mailers because the DNS lookup points at Forefront Online Security for Exchange’s network instead of their own network. Customers, therefore, only accept inbound SMTP traffic from Forefront Online Security for Exchange, which can help close a remaining vulnerability in their network firewall. An additional connection restriction—to lock down firewalls or e-mail servers to respond only to inbound SMTP requests on port 25 from the Forefront Online Security for Exchange network— helps prevent unwanted e-mail being sent through a “backdoor” directly to the server’s IP address.<br />In most scenarios, deployment of Forefront Online Security for Exchange is completed in a three step process:<br />Following activation, a customer adds and configures their e-mail domains in the EHS Admin Center. <br />A simple change is made to the customer’s mail exchange (MX) record without the use of additional hardware and software. The customer’s original MX record (such as is replaced with a pointer to the Forefront Online Security for Exchange network. Over the following 24 hours, this change is propagated throughout the Internet and mail begins to flow through the Forefront Online Security for Exchange network to corporate e-mail servers.<br />Seventy-two hours after the MX record change, the customer firewall is configured to accept inbound SMTP connections only from Forefront Online Security for Exchange data centers IPs. If the customer is using outbound services, its servers are configured to send all outgoing mail to the Forefront Online Security for Exchange network.<br />Administration<br />The Administrative Center is a Web-based console for defining and managing the settings and configuration for customer domains for all Exchange Hosted Services, including Forefront Online Security for Exchange. In many cases, no configuration or oversight of the service is required, resulting in a hands-free management experience. During implementation of Forefront Online Security for Exchange, all new customers are introduced to a comprehensive tutorial to familiarize administrators with the Admin Center console and tools. After the walkthrough, customers can access the Admin Center any time of the day or night to define and edit a variety of rules and settings.<br />An Information tab displays service announcements, network alerts and important information, such as new services, system upgrades, virus outbreaks, and patches in addition to filtering reports at the organization and network level.<br />Figure 6: Admin Center Home Page Dashboard<br />Reporting and Analytics<br />The Admin Center provides access to a set of comprehensive reports that provide detailed statistics about customer e-mail traffic. Reporting on an e-mail occurs near real time after the e-mail enters the FOSE network. Reports can be generated by domain or by organization (including all domains) and provide information such as the percentage of inbound e-mail flagged as spam, viruses blocked and overall e-mail volumes. Measured on a regular basis, these reports are a valuable tool for gaining insight and control of any customer e-mail system.<br />Figure 7: E-mail Reports<br />Figure 8: Sample E-mail Traffic Report<br />Online Security for Exchange reports include: <br />E-mail Traffic Report: Returns the number and volume of messages for each traffic type that you select. The available traffic types are:<br />Inbound delivery: Legitimate messages that are delivered to this organization or domain. Reports that include this traffic type do not include messages that are allowed by policy filter rules.<br />Spam: Inbound messages that are filtered as spam. This traffic type also includes the requests that are sent to the e-mail abuse and false-positive submission e-mail aliases, and, if applicable, any salvaged messages that are requested from the Spam Quarantine or Spam Notification e-mail messages.<br />Inbound virus: Inbound mail and virus-infected file attachments that are scanned, as well as viruses that are blocked and cleaned.<br />Inbound policy filter: Inbound messages that are filtered by the policy filter. (The report breaks down these messages into each different filter type.)<br />Outbound delivery: All messages that are sent from this organization or domain. This traffic type includes successfully sent outbound messages and outbound messages that are blocked due to a policy filter.<br />Outbound virus: Outbound mail and virus-infected file attachments that are scanned, as well as viruses that are blocked and cleaned.<br />Outbound policy filtering: Outbound messages that are filtered by policy filter. (The report breaks down these messages into each different filter type.)<br />Top Viruses Report: Returns a list of the top 10 viruses that have been caught by the virus filters for your domain or set of domains.<br />Deferral Report: Returns a list of messages that have been deferred by the service. It includes the message and the reason for deferral.<br />Top Users: Returns a list of the top 10 users of the service. Note that this report displays only users that belong to domains that have directory-based edge blocking enabled. Doing this helps decrease the number of invalid user accounts from being recorded in this report.<br />Message Trace<br />Administrators can use the powerful Message Trace tool retrieve the status of an e-mail processed by Forefront Online Security for Exchange in real-time. With basic information, such as the date, sender and recipient,administrators can retrieve filtering information on e-mail processed within the last 30 days. The sender e-mail address and recipient address information is required; at least one of them must contain a full e-mail address such as and the other field can contain a full e-mail address or only a domain name such as Optionally, administrators can search using the message ID. If the search yields results, administrators will have access to e-mail status information to see if and when a message was received by the Microsoft Forefront Online Security for Exchange service; whether it was scanned, blocked, or deleted; or whether it was delivered successfully within the last month.<br />Figure 9: The Message Trace search input panel<br />Figure 10: Message Trace search results <br />Audit Trail<br />Administrators on your team can track important events that have occurred in the service. User-related and service-related events can be sorted by e-mail address, company, domain, activity or date and time. This allows administrators to review changes that were made to settings as well as users who have accessed the Admin Center.<br />Figure 11: Audit Trail Events <br />Customer Support<br />Tens of thousands of global businesses rely on Microsoft Online Services support for timely response to virtually any service-related question. To meet the needs of these organizations, the service offers comprehensive support for its customers, featuring detailed online resources, around-the-clock call centers, and for qualifying accounts, implementation project managers.<br />Get Help with Technical Support<br />Microsoft Online Services live technical support staff is ready to deliver solutions quickly and clearly and can be reached with ease; they are available by phone, web form or e-mail 24x7. The technical support team stays in close contact with you and provides regular updates on issues until all questions have been resolved. Microsoft Online Services technical support will issue a support incident number if follow-up calls to technical support are required. Additionally, you can use translation services to receive phone support for the following languages: French, German, Japanese, Korean, Mandarin and Spanish. <br />Assistance at Your Fingertips<br />Forefront Online Security for Exchange also provides online support tools, including FAQs and step-by-step guides, and comprehensive tutorials that cover all aspects of the service. These documents are available in various languages to ensure thorough service understanding for all key messaging staff in your organization.<br />Announcements and Notifications<br />As an enterprise-class service, Forefront Online Security for Exchange helps ensure proactive, detailed and regular communications so you and your IT staff are well informed. Announcements, alerts and other notifications such as configuration updates are posted to the Information page of the Administration Center as well as pushed via RSS feeds which you can subscribe to. <br />Accelerate Time to Value with Implementation Project Managers<br />Implementation Project Managers (IPMs) are product specialists who are available for qualifying accounts for the first 90 days after service purchase in order to answer deployment, security, and configuration questions and generally ensure that Microsoft Online Services customers benefit from the best service experience and successful implementation. IPMs work closely with customers in all industries to manage the initial deployment of the organization and to generally represent the needs of the customer. They enhance customer relationships by providing an additional layer of strategic and critical planning and can facilitate 1 on 1 training with your administrative team as needed.<br />Leverage Microsoft Premier Support<br />Premier Support for Microsoft Online Services extends the Premier Support framework beyond on-premises products to online services to provide customers with a unified support experience across all products and services. This service helps ensure that customers can resolve issues quickly and simplifies the task of managing support for different components of an IT infrastructure.<br />Forefront Online Security for Exchange customers who have a Microsoft Premier Support contract can also obtain support for their services through the normal Microsoft Premier Support channels. This allows existing and new Premier customers to receive access to all processes and resources to Premier Support customers such as a Premier Technical Account Manager (TAM) and case submission. <br />Related Links<br />See the following resources for further information:<br />Microsoft Online Services at <br />Microsoft Exchange Hosted Services at<br />Microsoft Forefront Online Security for Exchange at <br />Microsoft Secure Messaging at <br />Microsoft Exchange Server at<br />