Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Module 6    ImplementingMessaging Security
Module Overview• Deploying Edge Transport Servers• Deploying an Antivirus Solution• Configuring an Anti-Spam Solution• Con...
Lesson 1: Deploying Edge Transport Servers• What Is the Edge Transport Server Role?• Infrastructure Requirements for the E...
What Is the Edge Transport Server Role?The Edge Transport server role provides a SMTP gateway thatcan be used for messagin...
Infrastructure Requirements for the EdgeTransport Server Role The Edge Transport server:    Must be configured with a Full...
What Is AD LDS?AD LDS is an LDAP directory service that stores informationfor directory-enabled applicationsAD LDS on an E...
Demonstration: How to Configure EdgeTransport ServersIn this demonstration, you will review the Edge Transportserver defau...
What Is Edge Synchronization?Edge synchronization replicates Active Directoryinformation to AD LDS on Edge Transport serve...
How Internet Message Flow Works Hub Transport / Client Access /       1 Mailbox Server                       6            ...
Demonstration: How to ConfigureEdge SynchronizationIn this demonstration, you will:• Enable Edge Synchronization• Test Edg...
What Is Cloned Configuration?Cloned configuration is a process of configuring multiple EdgeTransport servers with identica...
Lesson 2: Deploying an Antivirus Solution• Antivirus Solution Features in Exchange Server 2010• What Is Forefront Protecti...
Antivirus Solution Features in Exchange Server 2010Exchange Server 2010 supports:    Using the same VSAPI as is used in Ex...
What Is Forefront Protection 2010 for Exchange Server?Forefront Protection 2010 for Exchange Server is a separateantivirus...
Deployment Options for Forefront Protection 2010You can install Forefront Protection 2010: • Only on an Edge Transport ser...
Best Practices for Deploying an Antivirus SolutionWhen you implement an antivirus solution, you should: • Implement multip...
Demonstration: How to Install and ConfigureForefront Protection 2010 for Exchange ServerIn this demonstration, you will se...
Lab A: Configuring Edge Transport Servers andForefront Protection 2010 for Exchange Server• Exercise 1: Configuring Edge T...
Lab ScenarioYou are a messaging administrator in A. Datum Corporation,which is a large multinational organization. Your or...
Lab Review• When you implement new certificates on your existing Edge Transport server, what do you need to consider?• Doe...
Lesson 3: Deploying an Anti-Spam Solution• Overview of Spam-Filtering Features• How Exchange Server 2010 Applies Spam Filt...
Overview of Spam-Filtering Features     Feature                    Filters messages based on:Connection            The IP ...
How Exchange Server 2010 Applies Spam Filters                     Exchange Server 2010                     Edge Transport ...
What Is Sender ID Filtering?      DNS Server                                    Edge                                  Tran...
What Is Sender Reputation Filtering? Sender Reputation filtering filters messages based on information about recent email ...
What Is Content Filtering? Content Filtering analyzes the content of each email message and assigns an SCL to the messageY...
Demonstration: How to Configure Anti-Spam OptionsIn this demonstration, you will see how to:• Configure Connection Filteri...
Lesson 4: Configuring Secure SMTP Messaging• Discussion: SMTP Security Issues• SMTP Email Security Options• Demonstration:...
Discussion: SMTP Security Issues• What are the SMTP security issues?• How do you currently secure SMTP?
SMTP Email Security Options Protocol          Layer                     PurposeIPSec       Network-based        Encrypts s...
Demonstration: How to Configure SMTP SecurityIn this demonstration, you will see how to:• Configure an externally secured ...
What Is Domain Security?Uses mutual TLS with business partners to enable securedmessage paths over the InternetTo set up m...
How Domain Security Works Mail Client               1                        2                            Mail Client
Process for Configuring Domain SecurityTo configure Domain Security: 1 Generate a certificate request for TLS certificates...
Demonstration: How to Configure Domain SecurityIn this demonstration, you will see how to:• Verify certificate and check R...
How S/MIME Works         Method                 Type of Security Provided Digital signatures         Authentication: The m...
Lab B: Implementing Anti-Spam Solutions• Exercise 1: Configuring an Anti-Spam Solution on Edge Transport ServersLogon info...
Lab ScenarioAfter configuring the Edge Transport server and installing anantivirus solution, you must implement an anti-sp...
Lab Review• What anti-spam agents are available in Exchange Server 2010?• What is the purpose of the SCL threshold?• What ...
Module Review and Takeaways• Review Questions• Common Issues and Troubleshooting Tips
Upcoming SlideShare
Loading in …5
×

10135 b 06

420 views

Published on

  • Be the first to comment

  • Be the first to like this

10135 b 06

  1. 1. Module 6 ImplementingMessaging Security
  2. 2. Module Overview• Deploying Edge Transport Servers• Deploying an Antivirus Solution• Configuring an Anti-Spam Solution• Configuring Secure SMTP Messaging
  3. 3. Lesson 1: Deploying Edge Transport Servers• What Is the Edge Transport Server Role?• Infrastructure Requirements for the Edge Transport Server Role• What Is AD LDS?• Demonstration: How to Configure Edge Transport Servers• What Is Edge Synchronization?• How Internet Message Flow Works• Demonstration: How to Configure Edge Synchronization• What Is Cloned Configuration?
  4. 4. What Is the Edge Transport Server Role?The Edge Transport server role provides a SMTP gateway thatcan be used for messaging securityThe Edge Transport server role provides: Internet message delivery Antivirus and anti-spam protection Edge transport rules Address rewriting The Edge Transport server role: Cannot be deployed with any other server role Should not be a member of the internal Active Directory domain Should be deployed in a perimeter network
  5. 5. Infrastructure Requirements for the EdgeTransport Server Role The Edge Transport server: Must be configured with a Fully Qualified Domain Name Requires a minimal number of ports opened on the internal and external firewalls Must be configured with the IP addresses for DNS servers that can resolve DNS names on the Internet
  6. 6. What Is AD LDS?AD LDS is an LDAP directory service that stores informationfor directory-enabled applicationsAD LDS on an Edge Transport server stores: Schema information Configuration information Recipient informationYou can use the Exchange Server 2010 tools to perform mostof the AD LDS configuration tasks
  7. 7. Demonstration: How to Configure EdgeTransport ServersIn this demonstration, you will review the Edge Transportserver default configuration
  8. 8. What Is Edge Synchronization?Edge synchronization replicates Active Directoryinformation to AD LDS on Edge Transport serversEdge synchronization: Includes configuration and recipient information Synchronizes only changes to the Edge Transport server Is always initiated by Hub Transport servers Edge Synchronization AD DS Database AD LDS Database
  9. 9. How Internet Message Flow Works Hub Transport / Client Access / 1 Mailbox Server 6 2 5 4 3 Edge Transport Server
  10. 10. Demonstration: How to ConfigureEdge SynchronizationIn this demonstration, you will:• Enable Edge Synchronization• Test Edge Synchronization
  11. 11. What Is Cloned Configuration?Cloned configuration is a process of configuring multiple EdgeTransport servers with identical configurationsTo implement cloned configuration, use the: ExportEdgeConfig script to export configuration information ImportEdgeConfig script to validate the configuration on the target server, and then create an answer file ImportEdgeConfig script to import configuration informationIf you use any transport rules, ensure that you copy themseparately by using the Export-TransportRuleCollection cmdlet
  12. 12. Lesson 2: Deploying an Antivirus Solution• Antivirus Solution Features in Exchange Server 2010• What Is Forefront Protection 2010 for Exchange Server?• Deployment Options for Forefront Protection 2010• Best Practices for Deploying an Antivirus Solution• Demonstration: How to Install and Configure Forefront Protection 2010 for Exchange Server
  13. 13. Antivirus Solution Features in Exchange Server 2010Exchange Server 2010 supports: Using the same VSAPI as is used in Exchange Server 2003 and Exchange Server 2007 Using transport agents to filter and scan messages Using antivirus stamping to mark each scanned message Integration with Forefront Protection 2010 for Exchange Server
  14. 14. What Is Forefront Protection 2010 for Exchange Server?Forefront Protection 2010 for Exchange Server is a separateantivirus software package that can be integrated withExchange Server 2010Benefits of Forefront Protection 2010 for Exchange Server include: • Antivirus scan with multiple scan engines • Full support for VSAPI • Microsoft IP Reputation Service • Spam signature updates • Premium spam protection • Automated content filtering updates
  15. 15. Deployment Options for Forefront Protection 2010You can install Forefront Protection 2010: • Only on an Edge Transport server or a Hub Transport server • On an Edge Transport server or a Hub Transport server and a Mailbox serverWhen installing Forefront Protection 2010, consider: • The number of scan engines required • The types of scan engines that should be used
  16. 16. Best Practices for Deploying an Antivirus SolutionWhen you implement an antivirus solution, you should: • Implement multiple layers of antivirus such as: • Firewall or Edge Transport server • Client • Exchange server • Maintain regular antivirus updates
  17. 17. Demonstration: How to Install and ConfigureForefront Protection 2010 for Exchange ServerIn this demonstration, you will see how to:• Install Forefront Protection 2010 for Exchange Server• Configure Forefront Protection 2010 for Exchange Server• Manage Forefront Protection 2010 for Exchange Server
  18. 18. Lab A: Configuring Edge Transport Servers andForefront Protection 2010 for Exchange Server• Exercise 1: Configuring Edge Transport Servers• Exercise 2: Configuring Forefront Protection 2010 for Exchange ServerLogon informationEstimated time: 45 minutes
  19. 19. Lab ScenarioYou are a messaging administrator in A. Datum Corporation,which is a large multinational organization. Your organizationhas deployed Exchange Server 2010 internally, and it nowwants to extend it so that everybody can send and receiveInternet email.As part of your job responsibilities, you need to set up an EdgeTransport server, and then install an antivirus solution to scanall mail.
  20. 20. Lab Review• When you implement new certificates on your existing Edge Transport server, what do you need to consider?• Does Forefront Protection 2010 for Exchange Server scan the message multiple times when it is passed over Edge Transport and Hub Transport servers?
  21. 21. Lesson 3: Deploying an Anti-Spam Solution• Overview of Spam-Filtering Features• How Exchange Server 2010 Applies Spam Filters• What Is Sender ID Filtering?• What Is Sender Reputation Filtering?• What Is Content Filtering?• Demonstration: How to Configure Anti-Spam Options
  22. 22. Overview of Spam-Filtering Features Feature Filters messages based on:Connection The IP address of the sending SMTP serverFilteringContent Filtering The message contentsSender ID The IP address of the sending server from which the message was receivedSender Filtering The Sender in the MAIL FROM: SMTP headerRecipient Filtering The Recipients in the RCPT TO: SMTP headerSender Reputation Several characteristics of the sender, accumulated over a period of timeAttachment Attachment file name, file name extension, or fileFiltering MIME content type
  23. 23. How Exchange Server 2010 Applies Spam Filters Exchange Server 2010 Edge Transport server IP Allow List Connection IP Block List Filtering RBL Sender Filtering Internet Recipient Filtering Outlook Safe Sender ID Senders List Filtering Exceed SCL Content Threshold Filtering Below SCL Threshold
  24. 24. What Is Sender ID Filtering? DNS Server Edge Transport SMTP Server Server 2 Hub Transport Server 1 4 Internet 3 Sender ID filtering is a concept in virus protection that was introduced in Exchange Server 2007You can configure it to: • Reject messages and issue an nondelivery report (NDR) • Delete messages without sending an NDR • Stamp the messages with the SenderID result, and continue processing
  25. 25. What Is Sender Reputation Filtering? Sender Reputation filtering filters messages based on information about recent email messages received from specific sendersThe Protocol Analysis agent assigns an SRL that is based on: • Sender open proxy test • HELO/EHLO analysis • Reverse DNS lookup • Analysis of SCL ratings on messages from a particular sender
  26. 26. What Is Content Filtering? Content Filtering analyzes the content of each email message and assigns an SCL to the messageYou can configure content filtering to: • Delete, reject, or quarantine messages that exceed an SCL value • Block or allow messages based on a custom word list • Allow exceptions so that messages sent to specified recipients are not filtered Quarantined messages are sent to a quarantine mailbox
  27. 27. Demonstration: How to Configure Anti-Spam OptionsIn this demonstration, you will see how to:• Configure Connection Filtering• Configure Sender and Recipient Filtering• Configure Sender ID and Sender Reputation Filtering• Configure Content Filtering
  28. 28. Lesson 4: Configuring Secure SMTP Messaging• Discussion: SMTP Security Issues• SMTP Email Security Options• Demonstration: How to Configure SMTP Security• What Is Domain Security?• How Domain Security Works• Process for Configuring Domain Security• Demonstration: How to Configure Domain Security• How S/MIME Works
  29. 29. Discussion: SMTP Security Issues• What are the SMTP security issues?• How do you currently secure SMTP?
  30. 30. SMTP Email Security Options Protocol Layer PurposeIPSec Network-based Encrypts server-to-server or client-to-server trafficVPN Network-based Encrypts site-to-site trafficTLS Session-based Encrypts server-to-server trafficS/MIME Client-based Encrypts client side email and enables digital signingSMTP email can be additionally secured by usingauthentication and authorization on the SMTP connector
  31. 31. Demonstration: How to Configure SMTP SecurityIn this demonstration, you will see how to:• Configure an externally secured SMTP Connector• Configure an SMTP Connector that requires TLS and authentication
  32. 32. What Is Domain Security?Uses mutual TLS with business partners to enable securedmessage paths over the InternetTo set up mutual TLS: • Generate a certificate request for TLS certificates • Import and enable the certificate on the Edge Transport server • Configure outbound Domain Security • Configure inbound Domain Security
  33. 33. How Domain Security Works Mail Client 1 2 Mail Client
  34. 34. Process for Configuring Domain SecurityTo configure Domain Security: 1 Generate a certificate request for TLS certificates 2 Import certificate to Edge Transport servers 3 Configure outbound Domain Security 4 Configure inbound Domain Security 5 Notify partner to configure Domain Security 6 Test mail flow
  35. 35. Demonstration: How to Configure Domain SecurityIn this demonstration, you will see how to:• Verify certificate and check Receive connector• Configure Domain Security
  36. 36. How S/MIME Works Method Type of Security Provided Digital signatures Authentication: The message was sent by the person or organization who claims to have sent it Nonrepudiation: Helps to prevent the sender from disowning the message Data integrity: Any alteration of the message invalidates the signature Message encryption Only the intended recipient can view the contentsS/MIME Infrastructure requirements: • The sender must have a valid certificate installed • All target addresses must have a public certificate available either locally or in Active Directory • Can use either an internal or public CA
  37. 37. Lab B: Implementing Anti-Spam Solutions• Exercise 1: Configuring an Anti-Spam Solution on Edge Transport ServersLogon informationEstimated time: 65 minutes
  38. 38. Lab ScenarioAfter configuring the Edge Transport server and installing anantivirus solution, you must implement an anti-spam solution.
  39. 39. Lab Review• What anti-spam agents are available in Exchange Server 2010?• What is the purpose of the SCL threshold?• What are the possible issues in implementing Domain Security for your partner domains?
  40. 40. Module Review and Takeaways• Review Questions• Common Issues and Troubleshooting Tips

×