Archive for July, 2011

Overview of Forefront Protection 2010 for Exchange Server

July 21, 2011 11 comments

Microsoft acquired Sybari Software Inc. in 2005 and, with it, acquired its
Antigen for Exchange product line. Microsoft later released its first suite of
Microsoft-branded Antigen products in June 2006 — marking its first line of
antivirus products specifically for Exchange Server 2000 and Exchange Server

The next generation of this product — Forefront Security for Exchange Server — was
released shortly after the debut of Exchange Server 2007. This version was
enhanced to support the new role-based architecture and leverage the new
transport pipeline in Exchange Server 2007.

Forefront Protection 2010 for Exchange
is the current generation and next evolution of antispam and antivirus protection
from Microsoft. Microsoft’s 2005 acquisition of FrontBridge Technologies Inc., a
managed services provider for corporate email compliance, security and high
availability, paved the way for its hosted security solution for Exchange, which
now includes Forefront Online Protection 2010 for Exchange Server.

Exchange 2010 built-in antispam

When you deploy an edge transport server role, a wide range of
antispam agents are installed that leverage Exchange Server 2010’s built-in API
hooks. Exchange 2010’s antispam transport agents are derived from long-standing
Exchange Server technology (Figure 1).

A list of Exchange 2010's antispam transport agents

Figure 1. Exchange Server 2010 already has plenty of antispam transport
agents built in.

Transport agents were first introduced in Exchange 2007 and can directly leverage the
transport pipeline to allow antivirus and antispam applications to proactively
scan inbound and outbound email processed by the edge transport server before it
enters or exits an organization.

If the edge transport server isn’t deployed, the
antispam transport agents can be imported onto a hub transport server role using the
install-AntispamAgents.ps1 script. This allows any Exchange Server
deployment topology to benefit from antispam protection. Of course, an antispam
application will only address half of the problem; you still need an antivirus
product to protect the organization from malware.

Forefront Protection for Exchange Server (On-premises)
Protection 2010 for Exchange Server (FPE) is an on-premises application that can
be implemented in the internal network on the hub transport and mailbox roles.
It can also be implemented in the perimeter network, on the edge transport or
threat management gateway (TMG). FPE was designed to provide three distinct
layers of filtering: connection filtering, protocol filtering and content

Layer 1 – Connection filtering (Approximately 80% of inbound spam

  • DNS Block List (DNSBL)
  • IP Allow/IP Block
  • Sender ID

Layer 2 – SMTP filtering (3% to 5% rejected)

  • Sender
  • Recipient
  • Global safe list
  • Global block list
  • Sender ID
  • Backscatter

Layer 3 – Content filtering (55% to 60% rejected)

  • Cloudmark
  • Automatic updates every 45 seconds

FPE can also be installed on the mailbox role. The table below lists
available configuration options when FPE is installed on a mailbox server.

Forefront solution Description
Forefront Endpoint Protection 2010 Malware protection for business desktop PCs, laptops and server
operating systems that is easier to manage and control
Microsoft Forefront Protection 2010 for Exchange Server Multiple-engine antimalware and anti-spam protection for
on-premises Microsoft Exchange Server environments
Microsoft Forefront Online Protection for Exchange Microsoft-hosted antimalware and anti-spam service offering
enterprise-class reliability for messaging security and management
Microsoft Forefront Protection 2010 for SharePoint File filtering, keyword blocking and antivirus scanning for
Microsoft Office SharePoint Server document libraries
Microsoft Forefront Security for Office Communications
Virus scanning and content filtering for instant message
conversations and file transfers
Forefront Threat Management Gateway Web Protection Service URL filtering and Web antimalware update service for Forefront
Threat Management Gateway 2010

Microsoft Forefront Protection Server Management
Console (FPSMC) 2010

Microsoft Forefront Protection Server Management
Console (FPSMC) 2010, allows administrators to manage not only multiple FPE
servers within an organization but also the settings for FOPE, is available as a
free download. FPSMC has an intuitive graphical
interface that administrators can use for server discovery, configuration
deployment, reporting, and quarantine management.

FOPE administrators can also utilize FPSMC as it is integrated with Forefront
Online Protection for Exchange. FPSMC also includes some reports to help
administrators understand the nature and trends of malware and spam

The FPE Server Administrator Console does an adequate job of allowing you to
configure FPE and FOPE for an organization and is all that is really necessary
for single server deployments. The new dashboard view (Figure 2) makes it very
easy to track current activity and the status of the different components in

A look at the FPE dashboard
Figure 2. You can manage FPE from its new

New Forefront features to look

Forefront Protection for Exchange Server has several features that
might be new to Exchange Server administrators.
Let’s take a look at some of the coolest new features and how they work.

DNSBL. This feature automates subscriptions to real-time block list
(RBL) services and enables configuration through a single mouse click. This is
possible because Microsoft has already subscribed to some of the most respected
RBL providers to create its own DNS block list (DNSBL). When you enable DNSBL,
you subscribe to the Microsoft list; enabling DNSBL will eliminate subscriptions
fees that are often required to transfer block-list information to your servers.
It can also eliminate the headache of managing and configuring your own

Backscatter. This feature protects your organization from bogus
non-delivery report (NDR) messages. Prior to the release of FPE 2010, there was
no Microsoft solution that could prevent fictitious NDR messages from being
delivered to users’ mailboxes. When you enable Backscatter and generate a set of
keys, each outbound message will have an attached token that’s based on a hashed
tab to P1.MailFrom: in the email header. If the external messaging system
that receives the email must return a non-delivery report, the token will be
returned as well.

If the Backscatter feature on Exchange 2010 transport servers can validate
the hash, then the NDR will be allowed into the organization. However, if the
NDR is missing the hashed tag or Backscatter cannot validate the hash, then the
NDR message will be dropped.

Note: To prevent inadvertently dropping valid NDR messages, all
transport servers must have the Backscatter feature enabled. At the very least,
it should be enabled on all Internet-facing transport servers.

Cloudmark. You can license this antispam solution from Microsoft for
both FPE and FOPE. Once FPE is installed, it will replace the default antispam
connection filter engine with Cloudmark. Cloudmark has proven to have a 99.77%
catch rate. Microsoft guarantees a 98% catch rate in its server-level agreement
(SLA) for FOPE.

Third-party spam and virus protection
Microsoft claims that there
are four features in Forefront Protection 2010 for Exchange Server that
differentiates the product from third-party solutions.

1. FPE uses five simultaneous scanning engines.
2. It uses multi-layer
defense architecture.
3. FPE is easy to administer, monitor and report.
The solution supports a hybrid model that integrates both on-premise and online
servers as well a singular solution.

Despite these advantages, however, it isn’t everything for everyone.
Sometimes you need a third-party antivirus or antispam solution. There are a
number of well-known antivirus and antispam vendors for Microsoft Exchange
Server. When it comes down to choosing the best one for your enterprise, which
factors should you consider? Key aspects to look for in a third-party antivirus
solution for Exchange Server 2010 are:

  • Support for latest VSAPI
  • Support for hub, edge and mailbox roles
  • Use of transport agents for scanning
  • Support for antivirus stamping
  • Support for multiple scanning engines

Can the cloud reduce your spam carbon footprint?
There is a
concept with antimalware and antispam prevention that suggests the sooner you
can eliminate the threat, the less it will cost your organization. To describe
this concept in today’s environmentally conscious landscape, some have coined
this as “reducing the carbon footprint of spam and malware.”

The last 10 years has seen an explosion in hardware appliances and
perimeter-based email security designed to prevent unwanted email from even
making it inside an organization. The downside to these solutions is that they
require additional security expertise to maintain and they must be kept up to
date in order to be effective. For many organizations, there is not enough staff
to meet these challenges. The consequences of a solution failing are too great
for many organizations, so they have begun to seek alternatives.

The use of cloud-based managed security solutions for email systems has
increased significantly over the last few years. Cloud-based security solutions
give companies the potential to maintain the smallest carbon footprint possible
for malware and spam because these solutions eliminate unwanted email in the
cloud — not in the perimeter.

When Microsoft acquired FrontBridge, it became one of the top email hygiene
providers along with Postini (Google), Message Labs (Symantec), SOPHOS and Trend
Micro. Today there are more than 10 well-known hosted email hygiene/security
providers to select from as well as several lesser-known vendors.

Microsoft’s technological advances with FOPE make it an excellent choice for
a managed security solution in the cloud and a strong competitor with the
predominant providers. The strongest argument for FOPE, however, is that it is
the only solution that is tightly integrated with its on-premises counterpart,
FPE. FOPE can also be enabled and provisioned with a few clicks of the mouse,
using the same tools you need to manage FPE.

Example deployment topologies
FPE and FOPE were designed to support
environments of all sizes. FOPE is a hosted solution, so it was designed to
scale support for even the largest enterprises. There are different ways to
deploy FPE and FOPE for an Exchange Server 2010 organization. FPE can protect
Exchange organizations with single servers with combined roles or with dedicated
server roles. FOPE can be leveraged by itself without FPE. However the most
comprehensive solution is to deploy both FOPE and FPE together.

  • On-Premises: Combined Exchange Server roles
    All Exchange Server
    roles are combined on a single server. Although the client access server role
    and unified messaging role are on the same server, FPE does not directly support
    them. All email and voicemail are submitted to the mailbox role; therefore, CAS
    and UM roles are indirectly protected (Figure 3).Forefront Protection for Exchange Server indirectly protects the unified messaging and client access server roles.
    Figure 3. Though not directly supported, the
    client access server and unified messaging roles are protected by FPE.
  • On-Premises: Dedicated Exchange Server roles
    FPE is installed on
    the edge, hub and mailbox server roles, but it isn’t necessary to install on the
    UM or CAS roles. This topology gives Exchange administrators the greatest level
    of flexibility when sizing each server to meet the resource requirements of both
    Exchange 2010 and FPE. A TMG was also deployed to provide protection for the CAS
    role (Figure 4).Forefront Protection for Exchange Server is installed on the edge, hub and transport server roles.
    Figure 4. FPE is installed on the edge, hub and
    mailbox server roles.
  • On Premises/Hosted: Hybrid
    FPE and FOPE are deployed as a holistic
    antimalware/antispam solution. The Forefront Protection Manager allows admins to
    centrally manage the antispam policy. There is an additional FOPE gateway server
    in this configuration. This function takes very little resources and is used to
    push the antispam policy to FOPE from the FPMSC (Figure 5).Forefront Protection for Exchange Server and Forefront Online Protection for Exchange Server may be deployed together as a hybrid solution.
    Figure 5. FPE and FOPE can be deployed together
    as a hybrid antispam/antimalware solution.

Deployment recommendations
There are a few general rules you should
follow when deploying Forefront Protection for Exchange Server.

  • Deploy FPE on an edge transport server.
  • Deploy FPE on all hub transport servers.
  • Deploy FPE on all mailbox servers.
  • Run all five engines, if possible, and run no less than two engines for
    fault tolerance.
  • During a malware outbreak, enable the Scan after engine update
    setting for real-time scanning on mailbox servers.
  • Optionally, deploy FPE on a Threat Management Gateway (TMG) instead of an
    edge server.
  • Use the Forefront Protection 2010 for Exchange
    Server Capacity Planning Tool

Because running antivirus software consumes additional resources, it is
important to plan appropriately. The capacity planning tool let you select
reference architecture and customize the memory and hardware constraints. After
it runs, it will produce a summary of the hardware requirements and number of
servers that should be used, based on the specified constraints.

Viruses and worms of a decade ago seemed like the biggest threats to
messaging security, but when you consider what they have evolved into today, for
example: the latest phishing and malware attacks with criminal intent, it is no
surprise the security industry has evolved as well. Email administrators are at
the center of the malware and spam storm and have the greatest responsibility to
provide their organizations with appropriate levels of protection.

The good news is there are more antispam and antimalware solutions on the
market than there have ever been that are specifically designed for messaging
systems. Microsoft has even included several layers of antispam protection built
into Exchange Server 2010. As the industry moves forward, it seems that the more
noticeable trends are the managed security solutions. The managed security
solutions in the cloud are becoming more attractive to administrators that have
found the task of keeping pace with the exponentially growing threats to their
email systems more and more difficult to perform.