Date post: | 26-May-2015 |
Category: |
Technology |
Upload: | fabrizio-volpe |
View: | 485 times |
Download: | 2 times |
Secure Mail Relay
Protezione delle mail
Full featured SMTP hygieneExchange Edge Transport for SMTP stack
Requires valid license
Integrated with Microsoft® Forefront™ Protection 2010 for Exchange Server
AntimalwareAntispamAntiphishing
Also supports generic SMTP mail servers
Vantaggi di una e-mail policy con Forefront TMG
Protection on the edge saving processing resources, bandwidth, and storage
Integrated management—When you create an e-mail policy using Forefront TMG, you configure the settings in the Forefront TMG Management console, and then Forefront TMG applies your configuration to Exchange Edge and FPES
Extended management—Forefront TMG allows you to deploy multiple servers in an array, and manage those servers from a single interface. This is true for the e-mail protection feature, which is a benefit not available to other Exchange and FPES deployments
Native support for Network Load Balancing (NLB)—Using NLB and a virtual IP address, you can deploy more Forefront TMG servers at a single point of entry, thereby processing more mail traffic
FunzionalitàProtection at the edge
Protects mail at the edge of the organization with Forefront Protection 2010 for Exchange Server
Advanced protection and premium antispamMultiple scan engines to protect against malware and provide a premium antispam solution
Integrated managementEasy management of Microsoft Exchange Server Edge role and Forefront Protection 2010 for Exchange Server through Forefront TMG
Array deploymentSupport for managing and load balancing traffic among multiple servers
Forefront Protection for Exchange e Mail Flow
Ricezione mail da client
esterno
Applicazione regole firewall
FPE effettua le verifiche a livello edge a applica uno
«stample»
Passaggio da Edge a Hub attraverso il firewallUlteriore verifica delle regole
Se è presente FPE sull’hub, si attiva solo in mancanza di uno
stample
Verifica stample AV e anti-malware
Forefront Protection e Ruoli Exchange
FPE can be implemented on a single role machine or on a machine that includes three roles
The configuration options that FPE allows you to implement will vary according to the role for which it was implemented
FPE does not support installations on a CAS-only role because there is no workload to protect
NOTE If you have multiple Exchange servers, you can install and configure FPE on a single Exchange server and later export and import the configuration settings to your other Exchange servers. However, you must install FPE on each separate server before you can mport the configuration settings
To export the configuration file to an .xml file Export-FseSettings -path c:\ConfigSettings\Export.xmlTo export all extended optionsGet-FseExtendedOption -name * >> c:\ConfigSettings\Extended.txt
Forefront Protection e Ruoli Exchange
Forefront Protection Processing Decision
The user also has a direct influence on the message’s acceptance, based on the local
rules created in Outlook
Next, the content analysis will determine whether there is any anomaly on the email body that matches any configured policies
In the protocol analysis, another set of tests , such as a test to determine whether the sender is listed as allowed or blocked, is
performed
The source analysis performs various tests, such as determining whether the source IP
is allowed or if it belongs to a block list
9
Interfaccia di amministrazione centralizzata
Le componenti
11
Le componentiMicrosoft Products
Forefront Protection 2010 for Exchange Server
Microsoft® Exchange Server® 2007 (or 2010) Edge Transport
Forefront Threat Management Gateway
Windows Server® 2008 x64
Funzionalità
Feature Exchange Edge Role
FPE 2010 Filter
IP Allow / Block Lists Connection FilterIP Allow / Block List Providers
(custom) (FF DNSBL)
Sender / Recipient Filtering, Sender ID
Protocol Filter
Sender Reputation Content FilterBasic Content Filtering
(SmartScreen)
Premium Antispam (Cloudmark) File Filtering Message Body Filtering Antivirus and Antispyware Forefront TMG cannot manage Subject Line, Sender-Domain, or Allowed Senders in FPE
Configurazione della protezione SMTP
14
InstallazioneIn each member of the Forefront TMG array:
Install Active Directory® Lightweight Directory Services (AD LDS)Install Exchange Server 2007 SP1 (or 2010) Edge Transport roleInstall Forefront Protection 2010 for Exchange ServerInstall Forefront Threat Management Gateway 2010
15
Dettaglio : Installazione Edge Transport Server
• Install the prerequisite software : open \Scripts directory on the installation media and enter the following command
ServerManagerCmd.exe –InputPath Exchange-Edge.XML
• Install the Edge Transport Server
• Configure the EdgeSync Service : open an Exchange Management Shell and enter the following command
New-EdgeSubscription –FileName C:\Edge-TMG.XML
• Copy the Edge-TMG.XML file to the internal Hub Transport Server and import it there : open an Exchange Management Shell and enter the following commands:
$Temp = Get-Content -Path "C:\Edge-TMG.xml" -Encoding Byte -ReadCount 0New-EdgeSubscription -FileData $Temp -Site "Default-First-Site"Start-EdgeSynchronization
16
Dettaglio : Installazione Forefront Protection for Exchange
Choosing to Enable Antispam now will disable Exchange’s content
filtering agent, if it is currently enabled. Uninstalling FPE will not re-
enable Exchange’s content filtering agent; re-enabling
the filtering agent must be done manually
17
ConfigurazioneRun e-mail policy wizard
Configure SMTP routesConfigure spam filteringConfigure virus and content filtering
Enable and configure EdgeSync
E-Mail Policy Wizard
Impostare il server interno e i domini per cui si è autoritativi
lmost every options are configured for you without additional
configuration , all but content filtering do not go below 6 in
content filtering or most the emails will blocked
Nota : eccezioni alla HTTPs inspection
Creazione di SMTP Routes
Defines how Forefront TMG routes traffic from and to the organization SMTP serversAt least two routes required:
Internal_Mail_Servers define the IP addresses and SMTP domains of the internal mail serversExternal_Mail_Servers define which mail is allowed to enter the organization and the external FQDN/IP address that will receive mail
Each SMTP route has an e-mail listener which responds to mail requests from permitted IP addresses and networks.
Creazione di route
Internal Network
Forefront Security for Exchange (FSE)
``
Exchange Edge Role
External Network
TMG Filter Driver
Network Inspection System (NIS)
Receive Connector Send Connector
Multi-layer Filters
Multi-layer Filters
Anti-virus Engines
Spam FilteringThe anti-spam solution on FPE is composed of four major detection pillars:
SourceProtocolContentClient analysis
To configure these options, under the Antispam option, click Configure. You can run the Windows PowerShell command Set-FseSpamFiltering -enabled $true on the Forefront Management Shell to enable the Antispam feature. This process requires you to restart the Microsoft Exchange Transport service. Another way to enable the Antispam feature is by clicking Enable Antispam Filtering
Configurazione di Spam FilteringDefines spam filtering policy
Connection-level filtering IP Allow List IP Allow List Providers IP Block List Block List Providers
Protocol-level filteringConfiguring Recipient Filtering Configuring Sender Filtering Configuring Sender ID Configuring Sender Reputation
Content-level filtering
24
Spam FilteringConnection-level Filtering
Spam Filtering - IP Allow List
The IP Allow List allows you to add one or more IP addresses that are considered trusted and should always be allowed to send e-mail . You can use this option for example in a scenario where you have partners that you want to categorize them as source trust of e-mails and therefore allow them to send e-mail without passing through the normal SMTP filters . This feature is enabled by default on the Spam Filtering tab
Spam Filtering - Ip Allow List Providers
You can use the IP Allow List Providers dialog box to maintain a list of IP addresses that are known to not be associated with any type of spam activityThe IP Allow List Providers feature is also referred to as safe list servicesThis feature is enabled by default on the Spam Filtering tab,
Spam Filtering - Ip Block List
In contrast with the IP Allow List, the IP Block List allows you to add one or more IP that should never be allowed to establish an SMTP connection with TMGYou want to block this IP during the connect phase (the initial attempt to establish the SMTP connection)
Spam Filtering - Ip Block List provider
You have the capability to add the providers that are known (or suspected) to send spamThis option is enabled by default and you can change the status in the Status drop-down box
29
Spam FilteringProtocol-level Filtering
Spam Filtering - Recipient Filtering
In the Recipient Filtering dialog box, you can specify a list of e-mail addresses or a distribution list that would like to receive e-mails from outside your organization It is very common within an organization to have some distribution lists that are used regularly and those you might want to prevent receiving e-mail from Internet .
Spam Filtering - Sender Filtering
If you learn of a specific e-mail address that is sending lots of spam to your organization and you want to block that source e-mail address from sending messages, you can use the Sender Filtering feature
1. Click the Block Senders tab and notice that by default there is already a filter to block2. Click Add, and then add the e-mail address3. Click OK . Click Add again and then specify the
domain that you want to block4. 5. Click the Action tab to specify the action to be
taken when a message contains one of the senders specified in the Block Senders list
Spam Filtering - Sender ID
The Sender ID feature works by verifying that the source of the message is the organization it claims to be . Sender ID checks the IP address of the sending server against a registered list of servers that the domain owner has authorized to send e-mail .
Spam FilteringContent-level Filtering
Spam Filtering - Content-level Filtering
Delete Messages That Have A SCL Rating Greater Than Or Equal To The message is deleted and the sending server is not notified of the message deletion
Exchange Edge Transport Server (installed on the TMG computer) accepts and then deletes the message
Because the sending server understands that the message was accepted, the sending server doesn’t retry sending the message in the same session
Reject Messages That Have A SCL Rating Greater Than Or Equal To
This option rejects the message by sending one of several SMTP negative responses to the sending server
Quarantine Messages That Have A SCL Rating Greater Than Or Equal To
When using this option you need to specify a mailbox to hold the quarantined e-mail . You must have the mailbox account already created prior to configuring this option . In other words, this option does not create a mailbox for quarantine—it can only use an existing mailbox The numbers that are configured besides each of those option have a range from 0 to 9, where 9 indicates that the e-mail is very likely to be spam and 0 indicates that the e-mail is least likely to be spam . Notice that by default all options are dimmed, but if you select any of those check boxes the option will be enabled . For this example leave all these settings at their default values and click OK to close the dialog box
Virus and Content FilteringConfigures antivirus, file attachment, and message body filtering
Virus filter – Engine selection policy and remediation actionsFile filters – Unwanted file attachments based on file type, filename, and prefixMessage body filters – Identify unwanted e-mail messages by applying keyword lists to the contents of the message body
Virus and Content Filtering
Virus and Content Filtering - ConfigurationOn the Engines tab you can select up to five engines that will be used for transport
scanning (inbound and outbound messages
You can also select how the engines will be used to scan the messages by selecting one of the following options:
Always Scan With All Selected Engines Using this option Forefront Protection 2010 for Exchange Server queues messages for scanning if any of the selected engines becomes busy, such as during signature updates or heavy e-mail traffic times .Scan With The Subset Of Selected Engines Which Are Available This option scans using all selected engines . Scans alternate between engines when one of the selected engines is busy . Scan With A Dynamically Chosen Subset Of Selected Engines Using this option Forefront Protection 2010 for Exchange Server heuristically chooses from the selected engines, based on recent results and statistical projectionsScan With Only One Of The Selected Engines Using this option only one of the selected engines listed in this dialog box is used to scan any single object
Note When selecting multiple engines it is important to consider performance and sizing of the server. CpU utilization can increase 20 to 40 percent depending on bias and engines.