Microsoft Forefront Online Protection for Exchange Deep Dive

Conor MorrisonSenior Program ManagerMicrosoft

SIM334

Agenda and Session Objectives

AgendaMicrosoft® Forefront™ Online Protection for Exchange (FOPE) OverviewFOPE Support and Service Level Agreements (SLAs)FOPE ArchitectureManaging FOPE in your Organization – Best Practices

Session ObjectivesUnderstand in detail what happens to mail as it passes through FOPEUnderstand some best practices for using FOPEUnderstand the benefits and best practices for integrating Forefront Protection for Exchange and FOPE

The Importance of Email Protection

Email Protection

More than 95% of email is spamObnoxious and time wasting at bestDangerous and criminal at worstThe remaining 5% can be business critical

Mail protection is a must-haveIf your protection solution dies, you can’t reach your customers – and they can’t reach you

Internet

Comprehensive Protection

•Multi-Engine Antivirus and Multi layered continuously evolving Anti-spam

• In the Leader’s quadrant in the 2010 Gartner MQ for Secure Email Gateways

Enterprise Class Reliability

•Scales to meet the needs of virtually any enterprise via globally load-balanced datacenters

•Helps ensure that no email is lost or bounced with automatic spooling

• ISO 27001 certified

•24x7 phone support; Free 90 day IPM support for >1000 seats

Reduced Costs

•Saves time on anti-spam management, freeing up network and server resources

•Saves costly bandwidth by delivering only clean mail to your corporate network

•Reduces up-front capital investment via a predictable, subscription-based payment

Financially backed SLAs

•Filtering Accuracy• 100% Known Virus Protection• 98% Spam Email Detection• <1 in 250,000 Emails False Positive Ratio

•Filtering Network Performance• 99.999% Network Uptime• Rapid Email Delivery (Average delivery commitment of less than 1 minute)

Why FOPE for Email Protection?

5

FOPE is the largest commercial Online

service at Microsoft with >8M deployed seats

Customer Testimonials

Clifford Chance – one of the largest law firms in the world saw a 59% reduction in infrastructure costs; 20–30 mail gateways down to 4

Johnstons of Elgin – stopping over one million messages a day and reducing bandwidth by 1.5 gigabytes (GBs)

Edinburgh Napier University – 93% reduction in administration burden; 85% spam reduction over the previous solution

International Speedway Corporation – Reduced spam incidents by 25% and avoided costs of more than $120,000

Sunbelt Rentals – reduced help-desk calls, saved IT management time, improved productivity, and reduced costs over the previous solution

FOPE Overview

Send mail to:

conor@luckypm.com

FOPE Core Product Capabilities• Connection Analysis (IP-based edge blocks)• Reputation Analysis and ProtectionConnection Filtering

• Load balanced delivery with multi-SMTP Profiles• Control over routing and transport level security using new FOPE

Connectors

Connection Management and

Routing

• Protect businesses from receiving and sending email–borne viruses• Multiple engine support• Heuristics support

AntiVirus

• Detect and act on spam before it reaches the corporate network• NDR Backscatter Support• Outbound spam detection and mitigation

Anti-Spam

• Custom policy rules to regulate email flow based on business need• Policy-based encryption (for EHE subscribers)• RegEx pattern matching and custom dictionary support

Policy

FOPE Support and Service SLAs

FOPE Support

Four Tiers of support: Tier 1 – responding directly to calls, web requestsTier 2 – for escalations or requests that require more privilegeTier 3 (Operations) – for troubleshooting potential production and infrastructure issuesTier 4 (Engineering Team) – for troubleshooting potential code issues

Response within 24 hours, if not soonerAvailable via phone and Web submission

Get Help Now link from the FOPE Administration CenterTranslation services available

Onboarding support include Implementation Project Manager for new customers with 1000 or more seats.

FOPE Service Level Agreement (SLAs)

Actual Performance99.999%+ network uptime5–15 seconds delivery

Rapid Email Delivery(Average delivery commitment

of less than 1 minute for 95th percentile)

Network Uptime> 99.999%

100%Known VirusProtection

> 98%Spam

Detection

< 1:250,000False Positive Ratio

Filtering Network Performance

Spam and VirusFiltering Effectiveness

Actual Performance vs. SLASpam effectiveness: >99% of spam caughtAround 1 in 480,000 false positives

FOPE Architecture Deep Dive

Truly Shared Architecture

No PODs, no segmentation, no clustersLots of copies and clear logic/data separationSpam attack versus one customer?

Every FOPE server is at your service

Network geo-diversityWhole data center (DC) having problems?

Capacity to handle historical peak traffic with major DC out. Take DC ‘offline’, no service impactRegular mail flow is not interrupted

Mail.messaging.microsoft.com

FOPEDatacenters

Internet

Health Checking and Proactive Load Balancing

System Center Operations Manager is used throughout the serviceCustom ‘heatmap’ shows up to the minute status at a glance across all machines Alerting and datacenter automation tools used to resolve issues ahead of customer impact

Pushback application load balancingServers can request to be taken ‘offline’ if they are having issuesEffectively enables application-level load balancing transparently to the customer

Avoids FOPE Exchange Edge ever going in to ‘backpressure’.

Central “brain” uses global data to accept or deny requestsPrevents the entire service from going out of rotation at once

FOPE Architecture – Inbound Mailflow

SPAM preventionSPAM Protection

Safe senders

SpamPrevention

If server down, email queued for up to 5

days

Email enters the global data center network – MX

(mail.messaging.microsoft.com)

DirectoryServices

IP-based edge blocks

Look up email filtering settings for domain

Virus Scanning

Kaspersky

Symantec

Authentium

Policy Enforcement

Custom Policy Rules

Attachment and message attribute

management

Additional Spam Filter management

Rules Based Scoring

Fingerprint Engines

Content and Policy Quarantine

SPAM QuarantineSPAMSPAM

SPAM

Delivered in a flow-controlled fashion

when server is available

Queue

Corporate Network

Spam Analysts

Customer Feedback

False +ve / -ve

Envelope blocks

SMTP Reject: 55x

Connector settings

Sync

FOPE Architecture – Outbound Mailflow

Look up email filtering settings for domain

Virus Scanning

Kaspersky

Symantec

Authentium

Policy Enforcement

Custom Policy Rules

Attachment and message attribute

management

SPAM Protection

Custom Spam Filter management

Rules Based Scoring

Fingerprint Engine

Content and Policy Quarantine

Corporate Network

High Risk Delivery Pool

Score >= 30

Outbound Pool

Score < 30Safe senders

Spam Analysts

Internet

Encryption*

SPF

Managing FOPE in your OrganizationBest Practices

Demo

Additional Spam Options

Enable Additional Spam Filtering Options to:Increase a message’s spam scoreMark as spam

RecommendedImages from remote sitesNumeric IP in URLEmpty messages

False Positives

“No False Positives” a deep part of FOPE team cultureRigorously evaluate all designs for false positive risk

“Not Junk” button in spam quarantine~6,500 confirmed false positive submissions/week

Junk Email Reporting Add-in for Microsoft OutlookSelf-serve tools for customers

Per-customer IP Block List ExceptionsExchange/Outlook SafeSender support

Policy Filtering

Create custom “Policy Rules” that automatically take action on mail based on Admin-defined triggersActions include Reject, Allow, Inbound Quarantine, Force TLS, Redirect, Deliver with Bcc, and Test

Encrypt and decrypt are available for Exchange Hosted Encryption subscribers

Triggers can include header, sender, recipient, attachment, keywords, phrases, etc.

Block EXE, PIF, SCR and VBS extensions.Block ‘executable content’ as attachments (regardless of extension type)

Basic and Regular expressions support Best Practice: Check for outbound PCI/PII and inbound phishing attempt

Custom dictionaries

Create or Edit a Policy Rule

Advanced Reporting

Access reporting data from your FOPE serviceCreate and view reports in the Admin Center4 Available Reports:

Email Traffic ReportTop Viruses ReportDeferral ReportTop Users Report

Enable scheduled report delivery: emails the report on a one time, weekly, or monthly basis

Near Real-Time Message Trace

Search for specific messages using the following criteria:SenderRecipientDateMessage ID

Results will tell you If and when the message was received by FOPEWhether the message was scanned, blocked, or deletedWhether the message was delivered successfully

Near Real-Time Message Trace (cont.)

Managing FOPE in your Organization

Hybrid Messaging Protection: FOPE + FPE

Antivirus and anti-spam protection for Exchange Server 2010/2007 Server Roles

On-Premises SoftwareOnline

Anti Malware Anti-spam Management

Forefront Online Protection for Exchange

• Symantec• Authentium• Kaspersky

• Inbound Messaging Hygiene• Stop Foreign Spam• Outbound Spam Mitigation

• Anti-spam Feedback Loop• Message Tracing• IT Admin Improvements

Forefront Protection 2010 for Exchange Server

• MS AV + AntiSpyware• Kaspersky• Authentium• Virus Buster• Norman

• Internal mail filtering• Industry-leading 3rd party content filtering

• Forefront Protection Server Management Console

SMTP

Exchange Server

Edge Role Hub Role Mailbox Role

Internet

FPE Sync to FOPE

Sync DNSBLSync safelistSync blocklistQuarantine in service or on premise

And more with FPSMC

FOPE Connectors: Flexibility and control in mail routing

Route outbound email through on-premises servers or DLP appliancesForce TLS for secure B2B communicationBypass spam filters for trusted partnersAnd much, much more…

Outbound smart host

DLP appliance

Forced TLS

Inbound safe listingnwtraders.com

litware.com

contoso.com

External recipients

Best Practices

Apply strong password policy for user login to Admin CenterUse Directory Sync to upload your valid recipientsUse Quarantine for Spam and Policy

Use ‘Not Junk’ in quarantine to report false positives

Use Junk e-mail reporting plugin for outlookUse ‘Additional Spam Filters’ to tighten up checks for spam.

Opt in to NDR backscatter blocking

Configure policy filter for:Extensions: EXE, PIF, SCR, VBSCheck for outbound PCI / PII and inbound phishing attempts

Use FOPE for OutboundConfigure your SPF record

Use Message Trace to troubleshoot mail issuesSynchronize FPE settings with FOPE

Takeaways

FOPE service provides leading protection against mail threats and is backed by industry-leading support and SLAFOPE Architecture is built to scale and maintain high reliabilityResearch and apply best practices to further improve protectionFOPE + FPE provides great defense in depth and can be configured to keep settings in sync

Questions?

Additional Resources

Related SessionsSIM331 Microsoft Forefront Online Protection for Exchange and Microsoft Office 365: Better Together! SIM 333 Centralized Management of Anti-Malware/Anti-Spam Using Microsoft Forefront Protection Server Management Console

LinksForefront Site: http://www.microsoft.com/forefront/ Forefront on TechNet Library: http://technet.microsoft.com/en-us/library/ff684056.aspx Forefront Videos on TechNet Edge: http://technet.microsoft.com/en-us/edge/ff832960.aspx?category=Forefront

Track Resources

Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.

You can also find the latest information about our products at the following links:

Windows Azure - http://www.microsoft.com/windowsazure/

Microsoft System Center - http://www.microsoft.com/systemcenter/

Microsoft Forefront - http://www.microsoft.com/forefront/

Windows Server - http://www.microsoft.com/windowsserver/

Cloud Power - http://www.microsoft.com/cloud/

Private Cloud - http://www.microsoft.com/privatecloud/

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.