Microsoft Forefront Protection for Exchange 2010 Features in brief

Saturday, April 7, 2012 | AKRAMUZZAMAN at 8:29 AM |

Microsoft Forefront Protection 2010 for Exchange Server

5 out of 12 rated this helpful Rate this topic

  Applies to: Forefront Protection for Exchange


Microsoft Forefront Protection 2010 for Exchange Server (FPE) provides fast and effective protection against malware and spam by including multiple scanning engines from industry-leading security partners in a single solution. FPE provides customers with an easy-to-use administration console that includes customizable configuration settings, filtering options, monitoring features and reports, antispam protection, and integration with the Forefront Online Protection for Exchange (FOPE) product. If you have installed FPE on multiple Exchange servers, such as in an enterprise, you can manage them with the Microsoft Forefront Protection Server Management Console (FPSMC). Additionally, you can use Windows PowerShell, a command-line shell and task-based scripting technology that enables the automation of system administration tasks, to administer FPE.

The technical documentation for FPE is grouped into the following categories:

• Release Notes
  Use this documentation to learn important information regarding the current version of FPE and the FOPE Gateway.

• Planning and Architecture
  Use this documentation to plan your deployment and operation of FPE.

• Deployment
  Use this documentation to install and deploy FPE.

• Operations
  Use this documentation to learn how to configure and operate FPE.

• Technical Reference
  Use this documentation for technical reference information that pertains to FPE.

• Troubleshooting
  Use this documentation to learn how to troubleshoot issues with FPE.

Management pack for Microsoft System Center Operations Manager 2007
Use this documentation to learn how to monitor your system with Microsoft System Center Operations Manager 2007

Introduction

There are many choices being made in the Enterprise IT space today when it comes to Secure Messaging. As your organization charts its course which could vary from anything like a cloud offering such as Office 365 or Google Apps, to an on-premises Exchange 2010 Enterprise deployment, an important consideration is how the content is being protected, filtered and scanned. Many organizations have built up a large stack of tools to provide anti-spam, anti-virus, reputation analysis, as well as all sorts of other capabilities in their current environment. These solutions can add complexity and additional cost to a messaging environment. A new deployment of Exchange is a perfect opportunity to stop and look at the big picture, but an in-place upgrade or replacement of messaging security products may make sense as well. With that in mind, this month we’ll take a look at Microsoft’s Forefront Protection for Exchange (FPE) 2010. The name of the product is somewhat misleading, as there are versions of the product to support Exchange environments anywhere from Exchange 2003 to Exchange 2010, so don’t stop reading just because you’re not on the latest and greatest Exchange.

Why Forefront Protection for Exchange?

Forefront Protection for Exchange (FPE) 2010 is based on technology that Microsoft acquired six years ago from a company called Sybari. They’ve integrated it into their Microsoft product line and solutions architected by Microsoft partners for new Exchange deployments and Exchange migrations often include FPE. Microsoft has also done a great job of incorporating FPE into a number of product suites and licensing vehicles, including the Forefront Protection Suite, the Enterprise Client Access License (CAL) Suite and the Exchange Enterprise Client Access License. In short, it’s likely that most enterprise organizations already have access to FPE through an existing licensing vehicle. Since you might already have FPE, this in itself is a compelling reason to consider FPE. FPE can also be obtained by itself if an organization does not have one of these packages already.
FPE provides a better mousetrap for anti-virus and anti-spam for Exchange. The basic premise for use of FPE is that it offers 5 engines for use inside of the product, which can be mixed and matched or even deployed in parallel for a more ‘defense in depth’ approach to securing content. In comparison, other products offer a single scan engine to analyze and remove e-mail containing malicious content for Exchange. These single scan products can be viewed as a ‘single point of failure’. By limiting your Exchange environment by only using a single anti-virus vendor (with a single engine) in multiple locations (client, e-mail, gateway, etc.), a large blind spot still exists when trying to protect against late breaking zero-day attacks..

Forefront Protection for Exchange: Features and Functionality

FPE is natively built for the Windows Server platform; installation and initial configuration of the product was a breeze. The installer experience and the UI is very familiar and comfortable for anyone that’s used to working with the common Microsoft server and tools product interface (See Figure 1).
Another benefit for FPE is the support due to the fact that you already have Microsoft Exchange, Server, etc. This benefit means that you will not have to spend any money on support, which you most likely are having to do with your current third-party solution. Also, since the same support specialist knows both FPE and Exchange, you will have a unified front for getting your problems solved more efficiently.

Figure 1: FPE 2010 Console View. Source: wardvissers.nl
Of course, FPE also offers a number of core features, including anti-spam and anti-virus protection. FPE builds on top of the base anti-spam capability that’s integrated into Exchange. If you have had to use a third party solution due to the limited functionality of Exchange anti-spam alone, you might find the FPE multi-tier solution sufficient enough to eliminate your third party solution. The FPE multi-tiered strategy for anti-spam looks like this:

• 99% detection rate with 1:250,000 false positive rate (these numbers are verified by West Coast Labs, an independent testing group). For example, this level will has detected spam messages ranging from pharmaceuticals to money laundering scams that were gathered in a Hotmail mailbox were handily detected by this signature-based filtering.
• Additional innovation like DNS block list support, backscatter filtering and other anti-spam capabilities that have been sorely missing from the base Exchange anti-spam portfolio.
• FPE has added real-time from Cloudmark. This is an extremely sophisticated spam filtering engine that incorporates a number of heuristics and signature-based detection methods to identify spam.

With this combination of features, you will most likely find that there is no difference in spam detection between FPE with or without an additional anti-spam appliance. See Figure 2 for configuration options available in FPE.

Figure 2: Forefront Protection for Exchange anti-spam configuration



FPE also provides attachment filtering, enforcing inbound and outbound e-mail policies. It has the ability to inspect archive files and enforce policy with them as well. The granular control of applying policies to just inbound, just outbound or both inbound and outbound flowing mail comes in handy. Also, FPE has the ability to filter and scan content based on MIME (multipurpose Internet Mail Extensions) type as well as by actual file name; this allows for filtering of an MP3 file that’s renamed to a TXT file, for example. FPE also has the ability to delete encrypted archive files if the administrator so chooses since it cannot open them and inspect them for policy violations or potential malware.

Architecture

You will want to install FPE on every Exchange server you have! You have three different options for FPE during installation:

• Edge Transport Role - This role sits on the network edge and provides inbound and outbound SMTP services for an organization. The Edge Transport role of Exchange/FPE typically does not reside in an Active Directory domain and has a minimized footprint to reduce attack surface. With 5 engines enabled on the Edge Transport, this role will ideally strip out the majority of the malware and inappropriate content coming into the environment.
• Hub Transport Role – This role provides internal routing services between Exchange users sending or receiving mail. Even two internal users sending mail to each other will have their mail pass through a Hub Transport Role. With 3 or 4 engines enabled on the Hub Transport, this role will ideally catch any internal policy violations or perhaps malware that’s attempting to propagate internally.
• Mailbox Role. -  This role provides Exchange mailbox services for Outlook clients to interact with. The Mailbox role is often the most heavily utilized in an Exchange environment; as a result, perhaps 1 or 2 engines enabled on the Mailbox will provide for a solid baseline of protection without impacting client performance in a perceptible way.

Since the Unified Messaging and Client Access server roles do not process mail, FPE is not required on those roles. FPE can be tuned precisely in your environment and Microsoft provides a lot of guidance on specific scenarios in the Forefront Protection for Exchange User Guide. I recommend that you filter with all 5 engines at the Edge Transport, 3 or 4 engines on the Hub Transport and 1 or 2 engines on the Mailbox role. Since the scanning jobs are different for in-transit mail versus mail at rest in the Information store, it’s important to do performance tuning and measuring; in one virtualized Exchange instance FPE was able to tax the environment by enabling all 5 engines with real-time mailbox scanning turned on. Allocating another 2GB (4GB total) to the environment seemed to improve things marginally.