Session: CEO307
Mike Crowley
Planet Technologies
www.Go-Planet.com 1
Agenda
Introduction to Forefront
What does FOPE do and how does it work?
Usage Scenarios
Implementing FOPE
FOPE Administrative Interface Demo
2
What is Forefront?
Microsoft’s brand name for products dealing with security and identity
First it was Then it was rebranded as Now it’s called
Client Protection Forefront Client Security Forefront Endpoint Protection (FPE)
Microsoft Identity Integration Server (MIIS) Identity Lifecycle Manager (ILM) Forefront Identity Manager (FIM)
Microsoft Proxy Server Internet Security and Acceleration Server (ISA) Forefront Threat Management Gateway (TMG)
Intelligent Application Gateway (IAG) Forefront Unified Access Gateway (UAG)
Antigen for Exchange Forefront Security for Exchange (FSE) Forefront Protection for Exchange Server (FPE)
Antigen for SharePoint Forefront Security for SharePoint (FSSP) Forefront Protection for SharePoint (FPSP)
Antigen for Instant Messaging Forefront Security for OCS (FSOCS) Forefront Protection for Lync (Soon)
Antigen Enterprise Manager Forefront Server Security Management Console (FSSMC)
Forefront Protection Server Management Console (FPSMC)
FrontBridge Enterprise Message Security Forefront Online Protection for Exchange (FOPE)
3
FOPE vs. Postini
4
FOPE vs. Postini
FOPE advertises $21 per year, per
user – though you may already own it
FOPE’s privacy statement does not
allow Microsoft to use FOPE data to
market to you or your users
FOPE uses a simple directory
synchronization tool
Built-in to Exchange Online
FOPE’s “connectors” offer much
more control over mail routing
Postini falls under Google’s new
privacy policy
Postini’s synchronization requires
SSL certificates, and knowledge of
LDAP/DSML
Built-in to Google Apps
Postini can’t whitelist trusted IPs
Postini advertises $12 per year, per
user
Postini’s administrative interface can
be difficult to navigate 5
Features
Anti-virus service
Anti-spam service
Policy enforcement
Directory-based
blocking
• IP Reputation Blocking
• Connection Analysis
• Reputation Analysis
• IP-based Authentication
• Fingerprinting
• Backscatter Mitigation
• Real-time Threat Response
• Fast Antivirus Signature Deployment
• Rules-based Scoring
• Message Handling
• Phishing and Spoofing Prevention • Extension Blocking
• Custom Policy Rules Filters
• Group Filtering
• Intelligent Routing
• Inbound Address Rewrite
• Office 365 Integration
6
Service Level Agreements
Network uptime: 99.999 percent
Email delivery: average delivery commitment of less than one minute
Virus detection and blocking: 100 percent protection against all known email
viruses
Spam Effectiveness: Capture of at least 98 percent of all inbound spam
messages
False positive commitment of fewer than 1 in 250,000 messages
7
What can FOPE do that Software-
based Antivirus cannot?
Save network bandwidth (Microsoft estimates 90% of email is Spam)
8
What can FOPE do that Software-
based Antivirus cannot?
Save network bandwidth (Microsoft estimates 90% of email is Spam)
Reduce server workload
9
What can FOPE do that Software-
based Antivirus cannot?
Save network bandwidth (Microsoft estimates 90% of email is Spam)
Reduce server workload
Spool email for <5 days in the event of an outage
10
What can FOPE do that Software-
based Antivirus cannot?
Save network bandwidth (Microsoft estimates 90% of email is Spam)
Reduce server workload
Spool email for <5 days in the event of an outage
Make RBL cleanup someone else’s problem
11
Usage Scenarios
Fully hosted scenario
Outbound smart host scenario
Inbound safe listing scenario
Regulated partner with forced TLS
scenario
Hybrid scenarios
Shared address space with on-premises relay scenario (MX points to on-premises)
Shared address space with on-premises relay scenario (MX points to FOPE)
Shared address space with cloud relay scenario (MX points to the cloud)
TechNet article: gg430167
12 TechNet screencasts available for each scenario. TechNet article: gg186020
SMTP Connectors
13
FOPE Does Not:
Scan intra-organization mail
Act as an SMTP relay for your application servers
Office 365 users: see KB 2600912
Support PowerShell
You can upload users via CSV or use DST
DST supports PowerShell
Require an Exchange Server
14
15
End-User Interaction
16
End-User Interaction
17
Administrator Interaction Office 365 Admin
http://<pod>.outlook.com/ecp
Standalone or Office 365 Admin
http://admin.messaging.microsoft.com
18
Message
Tracing
Not to be confused with
Office 365’s “Delivery
Reports”
Visit TechNet article
ff715127 for feature
limitations
20 “Connector ID”
Field Not shown here
Reporting
Reports Include:
• Deferral
• E-mail traffic
• Top users
• Top viruses
• Connectors
21
DST - Directory
Synchronization Tool • Adds, Updates, Deletes
FOPE Users
• PowerShell Support
• Requires Active Directory
• Exchange Exchange*
• Not used with Office 365
*Required for Safelist Aggregation 22
Implementing FOPE
Activate FOPE Validate domains
Office 365 enables FOPE automatically
Configure User upload (DST or CSV)
Connectors, Filters, etc.
Update DNS MX record
Create firewall rules
23
Exchange Hosted Encryption (EHE)
Emails sent by users can be
encrypted automatically
based upon rule-matching
by: • Subject and message
• Keywords
• Regular expressions
• Sending and receiving email
address
• Domains
24
Exchange Hosted Encryption (EHE)
25
Suggested Resources
• Service Description for Microsoft Forefront
Online Protection for Exchange
• FOPE User Guide
• Microsoft.com/FOPE
• TechNet Wiki
● http://bit.ly/GUZOWO
26
Planet Technologies: http://Go-Planet.com Mike Crowley: http://MikeCrowley.us
Your Feedback is Important
Please fill out a session evaluation form
drop it off at the conference registration
desk.
Thank you!
27