Service Description for Microsoft Forefront Online Protection for Exchange

Transcription

1 Service Description for Microsoft Forefront Online Protection for Exchange Published: March 2011 Summary: Microsoft offers fully hosted protection and message management services to enterprises worldwide. Microsoft Forefront Online Protection for Exchange runs on a globally distributed network of data centers through which it provides managed anti-spam, antivirus, and policy enforcement services to help create a secure, protected, and compliant message stream. This technical overview provides information about the Forefront Online Protection for Exchange service, along with the administrative controls and reporting capabilities that are built into the hosted service system.

2 Copyright This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes Microsoft Corporation. All rights reserved. 2

3 Contents Introduction... 5 Global Network... 5 Filtering Service... 6 Service Level Agreements (SLAs)... 7 Antivirus Service... 7 Layered Defenses Against Viruses... 7 Real-time Threat Response... 8 Fast Antivirus Signature Deployment... 8 Anti-spam Service... 8 Layered Defenses Against Junk IP Reputation Blocking... 9 Connection Analysis... 9 Reputation Analysis... 9 Junk Protection... 9 Additional Spam Filtering (ASF) Options... 9 IP-based Authentication Fingerprinting Non-Delivery Receipt (NDR) Backscatter Mitigation Rules-based Scoring Outbound Spam Filtering Accuracy and Effectiveness Accuracy Effectiveness Junk Mail Management Spam Quarantine Reviewing Spam in Quarantine Policy Enforcement Message Handling Phishing and Spoofing Prevention Extension Blocking

4 Custom Policy Rules Filters Directory-Based Edge Blocking Service Message Reject Reject Test Pass Through Passive Virtual and Parent Domains Group Filtering Intelligent Routing Inbound Address Rewrite Directory Synchronization Tool for Directory Services Automation Automatic Spooling Service Experience Deployment Administration System Requirements Enhanced Routing Scenarios FOPE Administration Center Differences Reporting and Analytics Message Trace Audit Trail Customer Support Assistance at Your Fingertips Announcements and Notifications Customer Support for Exchange Online customers Customer Support for Standalone customers To Use the Get Help Now Option Accelerate Time to Value with Implementation Project Managers (IPMs) Customer Support for Microsoft Premier Support Subscribers Conclusion

5 Introduction Electronic messaging is mission critical but remains vulnerable to a growing array of threats. Viruses, worms, denial-of-service attacks, spam, and the need to satisfy a growing set of regulatory requirements all make effective message management increasingly difficult. Microsoft Forefront Online Protection for Exchange is a fully hosted service for inbound and outbound s that can provide your organization with a frontline defense against spam, malware, and policy violations. Because it is a hosted solution, it also helps to simplify the management of your environment and alleviates the burdens of software and hardware maintenance. Forefront Online Protection for Exchange can be used in a stand-alone environment to protect mail for customers using any SMTP mail transfer agent on their premises. Forefront Online Protection for Exchange is also the default messaging security solution for Exchange Online customers. Unless otherwise specified in the document, this document describes the features of Forefront Online Protection for Exchange for both stand-alone and Exchange Online customers. Global Network Forefront Online Protection for Exchange is powered by a global network of data centers based on a fault-tolerant and redundant architecture and is load-balanced both site-to-site and within each data center. These datacenters are physically located worldwide. If a data center suddenly becomes unavailable, traffic is automatically routed to another data center without any interruption in service. Thousands of servers across the network of data centers can accept on your organization s behalf, providing a layer of separation between your servers and the Internet. Furthermore, Microsoft algorithms analyze and route message traffic between data centers to ensure the most timely and efficient delivery. Through this highly available network, Microsoft is able to deliver on its service level agreement of percent uptime. This approach, built on a distributed server and software model, has proven successful in helping protect corporate networks and servers from common threats, such as worms, denial-of-service attacks, directory harvest attacks, dictionary attacks, and other forms of abuse. All messages processed by Forefront Online Protection for Exchange are encrypted using Transport Layer Security (TLS). To help ensure privacy and message integrity, the service attempts to send and receive using TLS but will automatically rollover to Simple Mail Transfer Protocol (SMTP) if the sending or receiving server is not configured to use TLS. Organizations can also configure a secure mail flow with trusted partners using Forefront Online Protection for Exchange connectors. Using connectors, you can configure forced inbound and outbound TLS using self-signed or CA validated certificates. 5

6 Filtering Service Forefront Online Protection for Exchange offers five services that apply a unique blend of preventive and protective measures to help stop increasingly complex borne threats from infiltrating your organization, enforce your organization s policies, and maintain a reliable messaging environment: Antivirus Service: Helps protect your organization from receiving -borne viruses and other malicious code by using multiple antivirus engines and heuristic detection to minimize the window of vulnerability during emerging threats. Anti-spam Service: Helps ensure that unsolicited is automatically filtered before it enters your organization s messaging systems. Policy Enforcement Service: Provides the ability to custom create highly flexible policy rules to regulate flow for compliance purposes. Directory Based Edge Blocking Service: Provides the ability to specify all valid users on a domain or to configure different filtering settings for groups of users within a domain. Automatic Spooling: Helps ensure that no is lost by instantly and automatically queuing messages for later delivery if the receiving server is unavailable. Figure 2: Integrated security and filtering solution provided by Forefront Online Protection for Exchange These services easily interoperate with one another as a package and require little to no changes to be effective. Without any configuration, Forefront Online Protection for Exchange blocks more than 98 percent of unwanted and 100 percent of known viruses, reducing message traffic and improving the efficiency of your messaging infrastructure. A virus is 6

7 considered known when a FOPE virus scanning engine can detect the virus and the detection capability is available throughout the FOPE network. Additionally, you do not have to upload or maintain safelists to achieve this level of accuracy. The network performance and spam and virus filtering effectiveness of the Forefront Online Protection for Exchange service are reinforced by financiall backed service level agreements (SLAs). Service Level Agreements (SLAs) Forefront Online Protection for Exchange provides comprehensive SLAs that back network performance and the effectiveness of spam and virus filtering. The SLAs include: Policy filtering accuracy Virus detection and blocking: 100 percent protection against all known viruses Spam Effectiveness: Capture of at least 98 percent of all inbound spam messages False positive commitment of fewer than 1 in 250,000 messages For Forefront Online Protection for Exchange licensed as a standalone service, ECAL suite, Forefront Protection Suite, or Exchange Enterprise CAL with Services, the following additional SLAs apply: Network uptime: percent delivery: average delivery commitment of less than one minute For more information about how each of these SLAs is defined and calculated, visit Microsoft Volume Licensing ( The following sections provide an overview of each of the five services and how they work to help secure your organization s corporate messaging network. Antivirus Service Viruses, worms, and other forms of malware pose significant risk to your organization and can spread very quickly. At such a rate, there is almost no time to update desktop and gateway antivirus systems to ensure that your network and systems are protected. However, Forefront Online Protection for Exchange offers multi-layered virus protection using multiple engines that is designed to catch 100% of all known viruses. For Exchange Online customers antivirus scanning is performed by Forefront Protection 2010 for Exchange Server (FPE) on the Exchange Online servers rather than by Forefront Online Protection for Exchange. This ensures that all inbound, outbound, and internal messages for Exchange Online customers are scanned for viruses in a consistent manner. The 100 percent protection against all known viruses SLA still applies to Exchange Online customers. Layered Defenses Against Viruses Forefront Online Protection for Exchange employs a layered approach to offer protection from both known and unknown threats for inbound and outbound . Taking advantage of 7

8 partnerships with many industry-leading providers of antivirus technologies, Forefront Online Protection for Exchange uses multiple antivirus engines to help protect against viruses and other threats. The antivirus engines include powerful heuristic detection to provide protection even during the early stages of a virus outbreak. The multi-engine approach has been shown to provide significantly more protection than using only one antivirus engine. Real-time Threat Response During some virus outbreaks, the Forefront Online Protection for Exchange anti-malware team will have enough information about the virus or other form of malware to write sophisticated rules that detect the threat even before a signature is available from any of the antivirus engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast Antivirus Signature Deployment The Forefront Online Protection for Exchange team maintains close relationships with partners who develop antivirus engines, integrating each engine at the application programming interface (API) level. As a result, the service receives and integrates virus signatures and patches before they are publicly released, often working directly with the antivirus partners to develop virus remedies. The service checks for updated virus signatures for all antivirus engines every 15 minutes and applies them to the global filtering network within minutes. Anti-spam Service Left unchecked, spam can overwhelm your organization, destroying productivity and the benefits of this vital business communication tool. The sheer volume of spam, coupled with spammer creativity, leaves businesses with no option but to turn to technology to combat this ever-present threat. Forefront Online Protection for Exchange defines an electronic message as spam if all of the following apply: 1. The recipient s personal identity and context are irrelevant because the message is equally applicable to many other potential recipients. 2. The recipient has not verifiably granted deliberate, explicit, and still-revocable permission for the message to be sent. 3. The transmission and reception of the message appears to give a disproportionate benefit to the sender. Layered Defenses Against Junk Forefront Online Protection for Exchange achieves enhanced accuracy with proprietary, multilayer spam technology that helps ensure that unsolicited is automatically filtered before it enters your organization s messaging systems. There is no work or intervention needed by your users or IT administrators to incorporate the anti-spam technology. This technology is applied at the domain level or subdomain level; for example, XYZ.COM, US.XYZ.COM, and UK.XYZ.COM. 8

9 IP Reputation Blocking Forefront Online Protection for Exchange IP reputation blocking serves as the first line of defense against unwanted and blocks approximately 90 percent of inbound junk through connection analysis and reputation analysis. Connection Analysis Each connection to the Forefront Online Protection for Exchange network is monitored closely and evaluated based on the SMTP commands issued by the connecting server. Nonstandard connection requests that deviate significantly from Request for Comments (RFC) standards and spoofed connection attempts are immediately dropped, thereby helping to shield your network from these invalid connection attempts. Reputation Analysis Forefront Online Protection for Exchange reputation-based connection blocking employs a proprietary list that, based on analysis and historical perspective, contains the addresses of the most egregious spamming sources on the Internet. Through an ongoing partnership with Windows Live Hotmail, Forefront Online Protection for Exchange aggregates both consumer and corporate junk data to populate a comprehensive reputation database. Forefront Online Protection for Exchange also utilizes IP reputation information from other companies and ISPs to provide enhanced protection from suspicious IP addresses and botnet attacks. Spammers often create malicious websites which they use for phishing and to host malware; Forefront Online Protection for Exchange leverages a variety of sources to quickly update lists of known malicious URLs and update its content filters to block spam. Junk Protection If a message passes the Forefront Online Protection for Exchange edge blocking technologies, it must then pass five additional layers of anti-spam technology: Additional Spam Filtering (ASF) options, IP-based authentication, fingerprinting, non-delivery backscatter mitigation, and rulesbased scoring. Additional Spam Filtering (ASF) Options Many customers want more control over s that may contain obscene graphics, affect privacy, or attempt to trick users into disclosing sensitive information. Using filtering flags, ASF enables you to quarantine messages that contain various kinds of active or suspicious content. ASF filtering flags include: Image links to remote sites Numeric IP in URL URL redirect to another port URL to.biz or.info websites Empty messages JavaScript or VBScript in HTML Frame or iframe tags in HTML Object tags in HTML 9

10 Embed tags in HTML Form tags in HTML Web Bugs in HTML Apply Sensitive word list Sender Policy Framework (SPF) record hard failure From address authentication failure Blocking all non-delivery receipts (NDRs) for non-outbound customers Forefront Online Protection for Exchange uses a rules-based scoring system to add these and other characteristics to an overall score, which is used to determine if a message will be classified as spam. ASF rules give you the ability to explicitly select various content attributes of a message that either increase the message s spam score or mark the message as spam if it contains specific attributes. Each ASF filter can be engaged in test mode to measure its effectiveness before going live. For more information, see Rules-based Scoring. IP-based Authentication Forefront Online Protection for Exchange authenticates the identity of the sender of each message. If a message cannot be authenticated and the message is determined to be from a spoofed sender, it is more likely to be scored as spam. The service uses Sender Policy Framework (SPF), an industry standard that fights return-path address forgery by using SMTP Mail From identity in , making it easier to identify spoofs. SPF lookups help verify that the entity listed as the sender did indeed send the . For domains sending outbound through the filtering network, you can include spf.messaging.microsoft.com in your SPF record as well as your individual outbound server IP address. Fingerprinting When messages contain known spam characteristics, they are identified and fingerprinted ; that is, they are given a unique ID based on their content. The fingerprinting database aggregates data from all spam blocked by the Forefront Online Protection for Exchange system, which allows the fingerprinting process to become more intelligent and refined as more s are processed. If a message with a particular fingerprint passes through the system again, the fingerprint is detected and the message is marked as spam. The system continually analyzes incoming messages to determine new spamming methods (such as base64-encoded spam). The Forefront Online Protection for Exchange spam analysis team updates the fingerprint layer as new campaigns are detected. Non-Delivery Receipt (NDR) Backscatter Mitigation There are a number of causes for a surge in NDRs that might affect your environment. For example, one of the addresses for a domain may be affected by a spoofing campaign or be the source address for a directory harvest attack. Any of these issues could result in a sudden increase in the number of NDRs delivered to end users. NDR backscatter, which refers to the many messages received when an address is forged as the sender on spam, is a side effect of spamming attacks carried out using a spoofed sender address. The forged SMTP RFC2821 MAIL FROM: address points to a legitimate sender. In the event of a delivery failure, 10

11 the receiving MTA will send an NDR to the unsuspecting victim referenced on the spoofed Mail From: address. NDR backscatter is more than an annoyance, because it can carry a malicious payload and easily trick an unsuspecting recipient into opening it. For outbound filtering customers, logic is used to help detect NDRs that are legitimate bounce messages and these are delivered to the original sender without enabling the NDR Backscatter option in Additional Spam Filtering options. For outbound customers, intelligent detection of legitimate NDRs is enabled by default. The filter is implemented based on Bounce Address Tag Validation (BATV) technology in a simple, flexible, and secure way. Enabling the NDR Backscatter option in the Additional Spam Filtering Options in Forefront Online Protection for Exchange will filter all inbound NDR messages regardless of whether the customer is using outbound filtering, and regardless of whether the NDR is legitimate. Rules-based Scoring Forefront Online Protection for Exchange scores messages based on more than 20,000 rules that embody and define characteristics of spam and legitimate s. Points are added to the score if a message contains characteristics of spam; points are subtracted if it contains characteristics of legitimate s. When a message s score reaches a defined threshold, the message is flagged as spam. Message characteristics that Forefront Online Protection for Exchange evaluates and scores include: Phrases in the body and subject of the message, including URLs HTTP obfuscation Malformed headers client type Formation of headers (i.e., Message-ID, Received, random characters) Sending server Sending agent From and SMTP From address The current rules are modified and new rules are added as needed many times a day, every day, by the spam team. Bulk Mail Filtering Forefront Online Protection for Exchange (FOPE) identifies inbound bulk mail (such as advertisements and marketing s) by marking a stamp in the message headers. FOPE inserts the X-Forefront-Antispam-Report header into each message it scans. If a message is identified as a bulk mail message, FOPE inserts SRV:BULK into that header. Users can create a rule in their local client (such as Microsoft Outlook) that moves unwanted mail to their Junk Mail Folder based upon this stamp in the message headers. To learn how to create a rule in Outlook 2007, see Manage messages by using rules. 11

12 Administrators can create a rule on their mail server (such as Exchange Server 2007 or 2010) that moves all mail for all their users to the Junk Mail folder based upon this stamp in the message headers. To learn how to create Exchange transport rules, see How to Create a New Transport Rule. Outbound Spam Filtering All outbound messages that exceed the spam threshold are delivered through a Higher Risk Delivery Pool, which is a secondary outbound group of servers used to send messages that may be of low quality. This secondary pool helps protect the rest of your network from sending messages that are more likely to result in the sending IP address being blocked. The use of a dedicated Higher Risk Delivery Pool helps ensure that the normal outbound pool is only sending s that are known to be of high quality. The possibility of the Higher Risk Delivery Pool being placed on a third -party block list remains a risk. This is by design. The secondary server pool helps reduce the probability of the normal outbound server pool being added to a third-party block list. In addition, some third-party filtering agents will throttle mail where the sending domain has no address record (A record) and no mail exchange record (MX record). Such outbound mail, regardless of its spam disposition, is routed through the Higher Risk Delivery Pool. Accuracy and Effectiveness Ineffective spam filters frustrate users and expose your organization s computing environment to infection and possible data loss. Forefront Online Protection for Exchange simultaneously delivers high accuracy and effectiveness by both identifying spam and keeping it from reaching mailboxes on your network. As a result, you can help preserve the integrity of your organization s environment and communications, boosting productivity and improving total cost of ownership your system. Accuracy False positives are legitimate messages that are incorrectly identified as spam. They can be either legitimate bulk messages such as newsletters, person-to-person business communication, or personal messages. Through extensive monitoring, Forefront Online Protection for Exchange has found that its ratio of false positive messages is smaller than approximately 1 in 250,000 ( percent). Both end users and IT administrators can report false positives by submitting messages, with full Internet headers, to false_positive@messaging.microsoft.com. They can also report abuse by submitting messages, with full Internet headers, to abuse@messaging.microsoft.com. The spam analysis team examines each message and tunes the filters accordingly to prevent future occurrences. As a result, the service is constantly updating and refining the spam prevention and protection processes at a global service level. Any submitted items are evaluated at the network-wide level. 12

13 The Microsoft Junk Reporting Add-in for Microsoft Office Outlook is an optional tool that lets users easily report junk to Microsoft for analysis to help reduce the number and impact of future junk messages. The tool is compatible with Microsoft Office Outlook 2007 SP2 and higher and Microsoft Office Outlook For more information information about the Microsoft Junk Reporting Add-in for Microsoft Office Outlook tool see Junk Reporting Add-in for Microsoft Office Outlook ( Effectiveness Without tuning, Forefront Online Protection for Exchange can block 98 percent of spam directed towards your domain. However, configuring the ASF options and using policy rules (discussed in more depth in Policy Enforcement) can allow your organization to further customize spam filtering according to your needs, which may increase effectiveness. After the service identifies a message as spam, it manages the message in one of five ways, depending on your domain settings: Tags the message with an X-header Tags the message through a subject line modification; e.g. inserting <SPAM> in the subject line Redirects the message to a SMTP mailbox Quarantines and stores for review (default option for standalone customers) Availble in Exchange Online: sends the messages to your Outlook Junk folder (default option for Exchange Online customers) Junk Mail Management For Exchange Online customers, Forefront Online Protection for Exchange sends messages identified as spam to the end users Outlook Junk folder by default. This option is enabled by default because it provides an integrated end user experience in Outlook. End users do not need to go to a separate web page to manage junk mail. From Outlook or Outlook Web App, end users can also manage their junk mail and safe and block sender lists. This option is unavailable for standalone customers. Spam Quarantine Spam Quarantine is the most widely used option for storing spam because it relieves corporate servers of the need to process and store this type of . Additionally, the Spam Quarantine option lets users avoid sorting through spam messages, a convenience that ultimately improves employee productivity. You can also use policy settings to quarantine messages, so that users can later access the messages if needed. Spam Quarantine is the default option for standalone customers but is not enabled by default for Exchange Online customers. Exchange Online customers can enable this option in the Administration Center. Access to the quarantined s can be enabled for all users or it can be limited to only administrators. 13

14 Reviewing Spam in Quarantine Forefront Online Protection for Exchange provides a web-based interface for end users to view spam addressed to their accounts. Through this interface, users can recover (or salvage) spam they might want to read, as well as report false positives. Messages quarantined by Forefront Online Protection for Exchange are stored for 15 days and then, unless an action is taken on them, they are automatically deleted. Administrators can enable notifications, which are ed to users when they receive spam messages. The format of the message can be one of the following: Text notification: An in text format that includes a URL and brief instructions about how to log in to the spam quarantine and view messages. HTML interface: An with an HTML interface, as shown in Figure 3, that gives users a snapshot of the new spam messages delivered to their spam quarantine mailboxes. The will display all new spam messages since either their last notification or since they logged in to their spam quarantine account. Unlike the textbased , users can directly manage messages from within this HTML notification without logging in to their account. Figure 3: A sample spam quarantine reminder in HTML 14

15 Figure 4: The spam quarantine web interface Policy Enforcement The third service that Forefront Online Protection for Exchange offers is policy enforcement, which gives your organization the ability to automatically monitor outbound and inbound , stop sensitive or inappropriate messages from leaving and entering the corporate network based on the parameters you stet up, and allows specific senders to bypass spam filtering completely. You can create and enforce custom policy rules that are triggered by one or more of the following attributes: Words and phrases in the subject and body Message size Attachment type Number of recipients Sender and recipient addresses and domains IP address or domain name Header name and value You can create and edit policy rules in the Administration Center. You can specify the scope of the rule, the action the rule takes on a message, and the parameters that trigger the rule. You can also choose whether a rule will expire. You can specify the parameters that trigger a policy rule using either comma-separated values mixed with string-wildcard syntax (listed as Basic Syntax in the Administration Center and product documentation) or you can use a subset of characters specified in the Regular Expression syntax (listed as RegEx Syntax ). Using RegEx syntax, you can specify more complex expressions that match patterns of text, numbers, or special characters. Additionally, you can create plain text or HTML footers to all outbound messages (including reply messages). Examples of common footers include your company s name, 15

16 address, and contact information, or a required legal disclaimer. You can apply this feature at the domain level (Parent Domains or Virtual Domains). Message Handling Forefront Online Protection for Exchange offers many options for handling that is flagged by a policy rule, including: Reject the message Allow the message Quarantine the message for review Redirect the message to an alternate recipient or mailbox Deliver the message with BCC Force the use of TLS to deliver the message Test individual policy rules Encrypt the message using Exchange Hosted Encryption (available only for EHE subscribers) Decrypt the message using Exchange Hosted Encryption (available only for EHE subscribers) After a policy rule is enabled, messages that trigger the rule are handled according to the rule specifications. If you choose to quarantine messages for review, Forefront Online Protection for Exchange allows either users or administrators to review and release quarantined items at their discretion. The service also includes standard bounce options. If an is rejected or quarantined for not complying with content and policy rules, you can configure separate custom bounce messages for the sender, recipient, and administrator. The service also allows administrators to create policy rules that allow all inbound from specified IP addresses (safelists), even if those IP addresses are listed on the Reputation Block Lists (RBLs) that are used by the service. Multiple IP addresses can be added to a single policy rule as long as the IP addresses are separated by commas. IP address ranges or Classless Inter-Domain Routing (CIDR) formatted IP ranges are also supported for this feature. Phishing and Spoofing Prevention Policy filtering may be used to defend corporate networks from attacks and protect end users confidential information. For example, by detecting potential personal information in s exiting the organization, you can provide additional anti-phishing protection. The following regular expressions can be used as parameters that detect the transmission of personal financial data or information that may compromise privacy: \d\d\d\d\ \d\d\d\d\ \d\d\d\d \d\d\d\d (MasterCard, Visa) \d\d\d\d \d\d\d\d\d\d \d\d\d\d\d\d (American Express) \d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d (Any 16-digit number) 16

17 \d\d\d\-\d\d-d\d\d\d (Social Security Numbers) Spam and anti-phishing can be prevented by blocking inbound messages that appear to have been sent from your own domain. You can create a policy rule to reject messages from yourdomain.com sent to yourdomain.com to block this type of sender forgery. Important: Create this rule only if you are certain that no legitimate from your domain is sent from the Internet to your server. Extension Blocking The policy filter can be used to block or allow different attachment types. At a minimum, the following extensions should be blocked: EXE, PIF, SCR, and VBS. For increased protection, we recommend blocking some or all of the following extensions: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, exe, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, pif, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, and wsh. Custom Policy Rules Filters By using the Filters repository, you can add and manage large lists of values for multiple policy rules. These lists of values are called Dictionaries and they can contain IP addresses, domains, addresses, keywords, and file names and extensions that you want to quickly use in various policy rules. Utilizing these lists can be faster than manually entering hundreds of keywords or addresses in the policy rule editor. These dictionary files can be imported to the Administration Center in.txt or.csv format. They can then be associated with a policy rule. Directory-Based Edge Blocking Service The fourth service in Forefront Online Protection for Exchange is Directory-Based Edge Blocking, which is a multifunctional service that improves message handling and routing for inbound message traffic. Directory-Based Edge Blocking is enabled by default for Exchange Online customers. For standalone customers the Forefront Online Protection for Exchange Filtering service normally processes all of the messages that are sent to any SMTP address within your domain. However, when you enable Directory-Based Edge Blocking and create a list of legitmate users, the service can block all , even messages that appear to be legitimate, but is sent to addresses that are not in your user list. Directory-Based Edge Blocking can be set to message reject, reject test, pass through, and passive. Message Reject The Message Reject feature rejects all , including spam and legitimate , at the network perimeter for any recipients not on the domain s user list. Therefore, if a message is 17

18 received for a recipient that is included on the user list, the message is processed according to the domain s settings. If however, a message is received for a recipient who is not included on the user list, then Forefront Online Protection for Exchange responds with a 554 error message, which reads as follows: smtp;554 <badaddress@contoso.com>: Recipient address rejected: Access denied). Reject Test The Reject Test feature validates the accuracy of a user list and is meant to be used for short periods of time. All for recipients not on a domain s user list is redirected to a specific address after filtering. Therefore, if a message is received for a recipient on the user list, the message is processed according to the domain s settings. If however, a message is received for someone not on the user list, that message is processed according to the domain s settings and delivered to the final address listed for the domain. Pass Through The Pass Through feature makes it possible to define a subset of users who are opted in for service evaluation purposes, while all others by default are opted out of all filtering services, even if all users share the same domain. Therefore, if a message is received for someone whose name is included on the user list (that is, the end user is opted in ), the message is processed according to the domain s settings. If, however, a message is received for someone not on the user list (that is, the end user is opted out ), the message bypasses spam, virus, and policy filters and is delivered to your organization s server directly. Note: The messages for users who are not present in the Pass Through list do not bypass the IP Reputation Blocks on the network edge Passive Passive mode on a domain allows you to configure Virtual Domains for that domain without needing to provide a user list for the Parent Domain. Virtual and Parent Domains Virtual Domains can be configured in order to provide group filtering, intelligent routing, or inbound address rewrite. A Virtual Domain is formatted like a subdomain, and can have its own filtering settings and configurations; however it is not an actual DNS mail domain. Virtual Domains allow you to apply different configuration settings to users who belong to the same domain. The domain to which the Virtual Domain belongs is called its Parent Domain. For example, for a Parent Domain called contoso.com, you can create a Virtual Domain called marketing.contoso.com. After creating a Virtual Domain, you can upload a subset of users who belong to the Parent Domain and then associate them to the Virtual Domain in order to customize service settings for that group of users. Users who have been assigned to the Virtual Domain will adhere to the domain settings that are set for the Virtual Domain. 18

19 Edge blocking options are not available for Virtual Domains. for a particular Virtual Domain is processed for all addresses that are included in an upload list for that Virtual Domain, as specified by the settings in the Administration Center. If is received for an address that is not listed in the upload list for the given Virtual Domain, it is processed according to the edge blocking settings for the Parent Domain. Group Filtering The Group Filtering feature provides the ability for different groups of users to have their own set of filtering rules, even if all users share the same domain. For example, your Human Resources department can have different filtering rules than the IT department. Each user included in the user list upload is associated with a group name. You can then create a Virtual Domain and configure it for each group name in the user list. Intelligent Routing The Intelligent Routing feature sends SMTP addresses to specific delivery locations based on group name and association, even if users all share the same domain. For example, the UK office can receive all mail for UK users at a specific location, one that is different than the destination for mail sent to U.S. users. As with Group Filtering, each user is associated with a group, and each group is associated with a Virtual Domain. Each Virtual Domain is then configured to redirect to specific servers within the organization. Inbound Address Rewrite The Inbound Address Rewrite feature rewrites the recipient addresses for specific users and delivers messages for those recipients based on the Virtual Domain IP Address Settings. For example, the HR department at Contoso needs to receive at hr.contoso.com, even though the delivery location may be the same as the main contoso.com domain. As in Group Filtering, each user is associated with a Virtual Domain. Each Virtual Domain is then configured to deliver to specific servers within the organization. Directory Synchronization Tool for Directory Services Automation The different Microsoft hosting products use different Directory Synchronization methods. The following describes the different synchronization methods for each product: Microsoft Office 365 Beta for enterprises: Use the Office 365 Directory Synchronization Tool. For more information about the Office 365 Directoy Synchronization Tool see Install the Microsoft Online Services Directory Synchronization tool ( Live@edu: Use the Outlook Live Directory Synchronization Tool. For more information about the Outlook Live Directory Synchronization Tool see Implement Outlook Live Directory Sync ( Business Productivity Online Suite Standard and Dedicated: Use the Exchange Online Directory Synchronization Tool. For more information about the Exchange Online Directory Synchronization Tool see About Directory Synchronization 19

20 ( f7b7.htm). Stand-alone: Use the FOPE Directory Synchronization Tool. For more information about the FOPE Directory Synchronization, see below. The FOPE Directory Synchronization Tool is an optional, lightweight application installed in your on-premises environment with access to your Microsoft Exchange Server. It simplifies the process of adding users to the service by collecting all valid addresses from your organization s Active Directory and Microsoft Exchange Server messaging environment and sharing them with Forefront Online Protection for Exchange. The tool also collects and shares safe senders as defined by end users. Using this feature helps to even further reduce the possibility of false positives and ensure minimal impact to legitimate communication. Figure 6 shows the components of the directory synchronization process and how it interoperates with Forefront Online Protection for Exchange. Figure 6: Flow and component details of the FOPE Directory Synchronization Tool The synchronization service reads the configuration file (in XML) at the interval specified, retrieves all SMTP addresses from Active Directory Domain Services (AD DS) for the specified domains, and sends the list to Forefront Online Protection for Exchange through Secure Sockets Layers (SSL). Transfer of the address list is contingent upon successful authentication, which uses the same administrative credentials used to log into the Administration Center. A web service running on the hosted network accepts the list and feeds the data to the Directory Services infrastructure, which distributes the list to the service s data center network every 15 minutes. 20

21 Automatic Spooling If your server becomes unavailable for any reason, Forefront Online Protection for Exchange helps ensure that no is lost or bounced. Forefront Online Protection for Exchange servers spool and queue for up to five days. After your server is restored, all queued is automatically forwarded in a flow-controlled fashion. In cases of extended downtime, can be rerouted to another server or made available through a web-based interface. The system can be set up to provide deferral threshold notifications in the event that cannot be delivered. For each domain in your company, you can set up multiple SMTP addresses to receive notifications of delivery delays for destined for your domain. Each entry can have its own individual threshold settings. These SMTP addresses must be for domains outside of the domain being configured. Figure 7: Service Experience Forefront Online Protection for Exchange is simple to deploy, easy to configure, and backed by experienced support organizations. The service, by default, is highly accurate and requires little tuning or optimization to enhance protection from spam and viruses. If you want to customize the filtering settings, you will find that the web-based administration console accommodates most filtering preferences. Around-the-clock technical support staff are available to assist in answering questions and helping with configuration settings. Also, implementation project managers (IPMs) are available for qualifying Forefront Online Protection for Exchange standalone accounts for the first 90 days to answer complex questions. Deployment Forefront Online Protection for Exchange is easy to deploy. You do not have to change your organization s existing infrastructure, or install and maintain any new hardware or software. Standalone customers can typically begin using hosted filtering services within 7 to 10 days from initial sign-up with a simple configuration change to DNS. Exchange Online customers are automatically provisioned with Forefront Online Protection for Exchange with their Exchange Online subscription. There is no hardware to provision; no software to buy, install, or configure; and no expensive training required for IT staff or end users. 21

22 Forefront Online Protection for Exchange requires only one MX record, which resolves to the service s network, allowing the IP address of the corporate server to remain hidden from DNS lookups. Your organization becomes invisible to spammers, because the DNS lookup points are located on the service s network instead of your organization s network. Therefore, you only accept inbound SMTP traffic from Forefront Online Protection for Exchange, which can help close a remaining vulnerability in your network firewall. In most scenarios, standalone customers can deploy Forefront Online Protection for Exchange in three steps: 1. After activation, add and configure your domains using the Administration Center. 2. Make a simple change to your MX record without the use of additional hardware and software. Your original MX record (such as mail.customer.com) is replaced with a pointer to the Forefront Online Protection for Exchange network. Over the following 24 hours, this change is propagated throughout the Internet and mail begins to flow through the Forefront Online Protection for Exchange network to your organization s servers hours after the MX record change, your organization s firewall is configured to accept inbound SMTP connections only from the Forefront Online Protection for Exchange data centers IP addresses. If the customer is using outbound services, its servers are configured to send all outgoing mail to the Forefront Online Protection for Exchange network. After your firewall rules have been restricted to only allow inbound SMTP connections from the IP addresses used by the Hosted Filtering service, we recommend that the SMTP server be configured to accept the highest number of concurrent inbound connections from the service that you feel comfortable with. If the server is sending outbound through the Hosted Filtering service, we also recommend that you configure the server to send no more than 50 messages per connection and to use fewer than 50 concurrent connections. Under normal circumstances, these settings will help ensure that the server has smooth and continuous data transfer to the service. Administration The Administration Center is a web-based console for defining and managing the settings and configuration for customer domains for Forefront Online Protection for Exchange. Typically, no configuration or oversight of the service is required; however, if you wish to customize the FOPE service, you may do so in the Administration Center. Authorized users can access the Administration Center at where they must enter their user name and password. Authorized Exchange Online users can access the Administration Center from the Mail Control tab of the Exchange Control Panel using single sign-on. During the implementation of Forefront Online Protection for Exchange, qualified customers are introduced to a comprehensive tutorial by an implementation project manager designed to familiarize administrators with the Administration Center console and tools. After the 22

23 walkthrough, you can access the Administration Center any time to define and edit a variety of rules and settings. Figure 8 shows the Information tab, which displays service announcements, network alerts, virus alerts and important information, such as new services, system upgrades, virus outbreaks, and patches. Additionally, the tab displays filtering reports at both the organization and network level. Figure 8: The Administration Center home page dashboard Additionally, the Advanced tab offers a consolidated view of all the companies managed by an administrator. This feature allows you to manage the filtering service of multiple organizations using a single set of credentials. This feature is available for resellers, administrators of organizations with a cross-premise scenario, and the delegated administrator of an organization with a delegated administrator set up. System Requirements To use the FOPE Administration Center, you must use one of the following Internet browseres: 23 Windows Internet Explorer 7, Internet Explorer 8, or Internet Explorer 9 Mozilla Firefox 3.5+ Apple Safari 5+ Google Chrome The Administration Center may be viewed in the following languages:

24 Simplified Chinese Traditional Chinese Danish Dutch English Finnish French German Italian Japanese Korean Norweigan Portuguese Portuguese (Brazil) Russian Spanish Swedish Enhanced Routing Scenarios The connectors feature in Forefront Online Protection for Exchange provides enhanced functionality and flexibility to help you route messages in new ways depending on your organization s requirements. There are six different mail flow scenarios you can implement with FOPE Connectors: Outbound Smart Host Scenario All or part of your outbound mail is routed through an on-premises server that applies additional processing before delivering mail to its final destination. Forced TLS Scenario Organizations can set up a secure mail flow channel with connectors that require mail communications be secured with transport layer security (TLS) or use a self-signed or CA-validated certificate. Inbound Safe Listing Scenario Add a partner organization s IP addresses to a safe list and mail from those specified IP addresses can be configured to skip FOPE s spam and policy filters. Shared Address Space with On-Premises Relay Scenario is hosted partially in the cloud with Exchange Online and partially on-premises while mail flow is controlled on-premise; MX record points to on-premises. Shared Address Space with FOPE Relay Scenario is hosted partially in the cloud with Exchange Online and partially on-premises while mail flow is controlled onpremises; MX record points to FOPE. 24

25 Internal Mail Flow Scenario is hosted partially in the cloud with Exchange Online and partially on-premises and internal mail sent between cloud and on-premises mailboxes skips FOPE filtering. An organization may choose to implement multiple mail flow scenarios, depending on their needs. Connectors are created and managed in the Administration Center. FOPE Administration Center Differences When accessing the Forefront Online Protection for Exchange Administration Center, certain features and settings are different between a FOPE standalone domain and an Exchange Online hosted domain. The following list describes those differences: In the Company tab, if you have a hosted domain rather than a standalone domain, you can view but you cannot change the value of the Outbound Mail Server IP Addresses setting. In the Domains tab if you have a hosted domain rather than a standalone domain: You cannot add, validate, enable, or delete domains. As a result, the Add Domains option is not viewable in the Tasks pane, and the Disable button is not viewable from Disabled Domains in the Views pane. This should be done in the Mail Control tab of the Exchange Control Panel. You can view but you cannot change the value of the Mail Delivery Settings (Mail Server Addresses and Outbound Mail Server IP Addresses settings). This should be done in the Exchange Control Panel. The Catch-all domains, Outbound filtering, Spam filtering, and Virus filtering settings are not configurable in the Domain Settings pane. When transferring domain settings via the Transfer Domains dialog box, the IP addresses and Virus filtering notifications options cannot be transferred because the IP addresses point to Exchange Online and virus filtering notifications are sent by FPE rather than by FOPE. Reporting and Analytics The Administration Center provides access to a set of comprehensive reports that provide detailed statistics about your organization s traffic. Reporting on an occurs near real time after the enters the Forefront Online Protection for Exchange network, usually within 15 minutes. Reports can be generated by domain or by organization (including all domains) and provide information such as the percentage of inbound flagged as spam, top users, messages encrypted, viruses blocked, and overall volumes. Figures 9 and 10 show some sample reports that are available. Measured on a regular basis, these reports are a valuable tool for gaining insight and control of any customer system. 25