Microsoft Forefront Server for Exchange (FSE) is a tool that will help companies deal with the threats associated with e-mail service. Microsoft Exchange is used in a large number of businesses for e-mail services. Microsoft FSE was not always so widely used, but its integration with Active Directory (starting with Exchange 2000) made it a more viable product for companies to use. The number of threats written to compromise these systems has increased as more companies implement Microsoft FSE in their infrastructure. The importance of e-mail to productivity in most companies is the reason that extra security mechanisms, like Microsoft FSE, need to be in place. Attachments and phishing scams pose serious threats to companies. The Microsoft FSE gives companies extra mechanisms to filter attachments and scan for viruses.
The Microsoft FSE server allows network administrators to centrally manage the security of the exchange servers. Administrators using FSE can conduct filtering, scanning, and job scheduling of e-mail-related attachments from a central management console. Reports can give the security professional using FSE indication of what the real problems are and help them to discern from where they are originating. Using FSE can help companies effectively deal with security issues related to e-mail.
How to implement Microsoft Forefront Server for Exchange
When you are implementing FSE you should ensure that you carefully plan your deployment to ensure that the additional load placed on your FSE servers does not negatively impact performance and that you do not inadvertently block legitimate messages.
Due to the fi ltering abilities of FSE, it is very easy to block legitimate messages. This causes inconvenience for the recipient of the message, but also creates more work for administrators who either have to provide an alternative method of sending fi les to people or retrieve the fi les from quarantine and forward them to the recipient. Depending on the amount of legitimately blocked attachments, you may have to dedicate significant resources to review and deliver quarantined attachments.
It is common within companies to block executable attachments from being sent and received. This is done to protect the company’s infrastructure from programs, which could potentially cause problems, and also prevent potentially dangerous attachments being sent to third parties. While this will help to protect your infrastructure, it can easily cause legitimate messages to be blocked causing inconvenience to the sender and the recipient.
Planning a FSE Deployment
The complexity of your FSE deployment will vary depending on the complexity of your FSE infrastructure and the types of message filtering you want to implement. In order to help with your planning it is recommended that you split this into two components, Antivirus (AV) scanning and message filtering. When you are planning the deployment of FSE, it is important to understand the FSE infrastructure. It is assumed in the course of this chapter that an FSE 2007 infrastructure is being used. In FSE 2007, the functionality has been split into five roles:
■ Client Access Server Allows clients to access FSE.
■ Hub Transport Server Transports messages between mailbox servers and to edge transport servers.
■ FSE Stores users mailboxes.
■ FSE Provides unified messaging capabilities.
■ FSE Allows messages to be sent and received from external sources.
The first four roles can all be installed on a single server for small deployments. The Edge Transport Server has to be installed on its own server as it usually resides in a perimeter network.
This chapter will refer to different roles when indicating where to install or how to configure FSE. It is assumed that these are installed on separate servers.
FSE allows you to virus scan messages as they enter and transit through your FSE infrastructure. When they are in the user’s mailbox, this is done by deploying FSE on your Edge and Hub Transport roles and on the Mailbox role. It is recommended that you deploy AV scanning on all of your servers running the FSE. This ensures that messages are virus-scanned providing for a safe FSE infrastructure.
You can use up to five AV engines to scan each message and then attempt to clean the message, remove the attachment, or log that a virus was detected. When messages are cleaned or removed, they can be quarantined allowing you to retrieve the fi les if required. You can specify different AV engines for each of the three Scan Job types—Transport, Real Time, and Manual—although it is recommended that you keep them the same.
On servers running the edge and hub roles, you can choose to scan internal, incoming, and outgoing messages. It is recommended that you choose to scan all three. This allows you to ensure that no virus-infected messages enter or leave your organization and that internal machines are not sending viruses to your own users.
By default, FSE only virus scans a message once, this allows for the best use of resources across your FSE infrastructure. This means that if a message is scanned on an edge role, it will not be re-scanned on the hub role used to relay the message through your organization.
On servers running the mailbox role, you have more control over which messages are virus-scanned. You can perform real time scanning which allows for messages to be scanned as they are accessed. This will, by default, only scan messages that have not been scanned for viruses before. These are usually public folder posts, calendar appointments, and messages in folders like Sent Items, as these messages do not pass through the hub role. While there is an overhead to scanning messages as they are accessed in terms of both resources and a delay to the end user, the impact should be minimal due to the small amount of messages that will be scanned.
You can also configure messages to be background scanned. Background scanning allows you to re-scan messages that have been received or created within the last x days by re-scanning. It is likely that new AV definitions will have been released, meaning that any new viruses will be detected. This is the only AV scan that will, by default, re-scan messages that have been previously virus-scanned. Running this scan is a considerable overhead, so you should set it to run in off-peak hours.
The fi nal option is to perform a manual scan, which can be scheduled to run at a specific time. This is most commonly used when you first install FSE, to allow you to scan and stamp all existing messages, ensuring that your infrastructure is virus free. AV stamping is used to indicate that a message has already been virus-scanned. This stamp is placed in the message header when it is being routed through the FSE infrastructure.
Once the message have been accepted into users mailbox, the AV stamp is converted into a MAPI property of the message.
For each of the Scan Jobs on the Mailbox Role, you can choose which mailboxes they scan. This can be useful if you have a large number of mailboxes and you want to use the Manual Scan Job to scan these in batches. For the Real Time Scan Job, it is recommended that you scan all mailboxes, which will ensure that your entire infrastructure is protected.
Once a message is detected as containing a virus, the recommended action is to delete the attachment. While you can opt to clean a message, this uses considerable resources and most attachments containing viruses are usually unsolicited. Therefore, there is no point in trying to clean them. Unsolicited messages are also known as spam.
These messages usually have a commercial content where the recipient has not requested this information. It is common for these messages to contain misleading attachments that contain viruses.
When you are planning your AV protection, you should ensure that all of your messages are scanned at least once to ensure that they are free from viruses. You should do this not only for incoming messages, but also for outgoing and internal messages.
By scanning these messages you are ensuring that you are not sending viruses to other companies and that your entire infrastructure remains virus free. If you opt to quarantine detected viruses you should ensure that you clean out the quarantine area on a regular basis to prevent the quarantine database from being filled up and that disk space does not run out. You can opt to automatically purge this information after a number of days. It is recommended that you enable this and purge messages after 30 days. The purge setting will also affect messages quarantined due to messages filtering.
Message Filtering in FSE allows you to fi lter messages based on attachments, message content, keywords, and who is sending the message. This filtering is in addition to
filtering performed by the Exchange Edge role and is performed after the FSE filtering.
Therefore, it is likely that a large amount of unsolicited e-mail will have been rejected by this stage.
FSE Message Filtering is a lot more flexible than the filtering offered in Exchange, and allows you to quarantine the messages you filter. This allows you to recover deleted messages and attachments if required, along with being able to create highly complex and customized filters to meet your company’s requirements.
It is vital that you plan your filtering correctly, otherwise you could end up filtering messages that you never intended to. The Transport Scan Job allows you to filter messages based on their attachments and the contents of the message body. You can specify senders that you always want to receive e-mails from; these are known as safe senders. If you enable filtering on Real Time and Manual Scan Jobs, you can filter messages based on their attachments and against the contents of the Subject and Senders Domain.
It is recommended that you restrict all fi le filtering to the Transport Scan Job. This way messages are only scanned once before they are submitted for delivery. The reason for this is that if you enable filtering for executable fi les in the real time scan and a user attempts to send a message with an executable fi le attached, the message will be modified while it sits in the Drafts folder. This will result in an error when the user tries to send the e-mail. These error messages can cause confusion for the sender and may result in an increased number of calls to your Helpdesk.
By moving the fi le filtering to the Transport Scan Job, users will be able to send e-mails, but they will be checked during transit. This allows for the message to be filtered and for a notification e-mail to be sent if configured. While this has the same end effect as the message being filtered, the end user has a better experience. When you configure fi le filtering you can do this based on extension, type, and fi le size. This provides you with a large amount of flexibility when configuring the file filters. It is recommended that you filter by fi le type wherever possible, as this prevents people from changing a fi le extension to bypass the fi lter. An example of file filtering will be provided in the configuration section of this chapter.
Once you have planned your fi le filtering, you will need to plan any other filtering methods you plan to use. If you need to check the body of the message for certain phrases, this can be done using the Transport Scan Job. Also known as keyword filtering, this filter provides more control than the content filter in FSE.
When you create a keyword filter you can configure logical operators. Logical operators allow you to specify that multiple words have to be in the message body or those words having to appear multiple times. Using this technique allows you to create complex filters.
The final set of filters you can create are content filters. These are available in the Real Time and Manual Scan Jobs and allow you to specify sender domains. This allows you to filter messages from certain e-mail addresses or domains. While you can perform the same functionality using sender filtering on an FSE Edge server, this filter has the added ability to quarantine messages and can be used if you have not deployed an Edge server.
Using the content filter you can also filter messages based on their subject. This allows you to filter on common unsolicited e-mail subjects, which may be useful if you are not running an FSE Edge server. When you start to plan you FSE filtering, you should ensure that you are not duplicating workload if you are using the anti-spam filters on an FSE Edge server. You should not duplicate their work in FSE, as this places an additional work load on your servers. You should ensure that you test your filters before deploying them to make sure they only filter e-mail you want to filter (e.g., if you are only filtering incoming executables and not ones sent between internal recipients).
You should be aware that the more filtering you add, the higher the load on your servers. If you are using real time filtering this will also affect the access time for users when accessing messages.
How to install Forefront Server for Exchange
When you install FSE you can either install it locally on each machine or by performing a remote install. Remote installs are performed within the Forefront installer. When possible, it is recommended that local installations are performed. This section will take you through performing both a local and a remote installation along with how to install FSE on clustered mailbox servers. When you install FSE you have the option to perform a full installation. This can be performed on Exchange servers running the Edge Transport, Hub Transport, and Mailbox roles or a Client Installation, which installation allows you to install the Forefront Server Administrator onto administration machines and can only be installed locally.
If you have clustered mailbox servers using either Single Copy Cluster (SCC) or Cluster Continuous Replication (CCR), the installation process will differ slightly to installing on other FSE servers. The process is different for both SCC and CCR clusters. If you are using Local Continuous Replication (LCR), the installation of Forefront Server for Exchange should be the same as a normal install.
If you are using Standby Continuous Replication (SCR), you should not install FSE unless this server becomes active. Once the server is made active, you will then need to configure it as required. Fortunately, to speed up the configuration, you can use configuration templates.
When performing a local installation you should be logged into the machine as a user that has administrative rights on the machine. As part of the installation, you may be required to restart some of the FSE services; therefore, it is recommended that installation is performed during off-peak hours.
To perform a local install:
1. Run the FSE Installer.
2. Click Next.
3. Accept the License Agreement.
4. Enter User Name and Company Name and click Next.
5. Select Local Installation and click Next.
6. For a full installation, select Full Installation and click Next.
7. Select Secure Mode or Compatible Mode and click Next. When you select Secure Mode, AV scan and fi lter messages are forwarded from quarantine. When you select Compatible Mode, AV scan messages are forwarded from quarantine.
8. Select up to four AV engines (see screenshot) and click Next.
9. Click Next.
10. If you need to use a Proxy Server for updates, enter Address and Port and click Next. (If you need to use a username and password you can specify this under General Options once FSE is installed.)
11. Choose the Installation Location and click Next.
12. Choose the Programs Folder and click Next.
13. Review the Installation Options and click Next.
14. You may be asked if you want to restart Exchange Transport Service. If you want to restart this now click Next; if you want to restart this later click Skip.
15. If you choose to restart the service, click Next once the service has restarted.
16. You may be asked if you want to restart FSE Information Store. If you want to restart this now click Next; if you want to restart this later click Skip.
17. If you choose to restart the service, click Next once the service has restarted.
18. Click Finish.
19. For a Client installation Select Client – Admin console only and click Next.
20. Choose the Installation Location and click Next.
21. Choose the Programs Folder and click Next.
22. Review the Installation Options and click Next.
23. Click Finish.
How to configure Microsoft Forefront Server for Exchange
Once you have installed FSE, you will need to configure the various settings to ensure that messages are processed as required for your business.
There are two ways to configure FSE. The first option is to use the Forefront Server Security Administrator (FSA), which allows you to configure each server running FSE on an individual basis using the tool locally or remotely. The other option is to use Forefront Server Security Management Console (FSSMC), which allows for Forefront servers to be centrally administered (The Management Console is an additional product and is not included with FSE). For this reason, this section will focus on the FSA as the method used to configure FSE.
While the configuration information is stored in a number of different locations, the majority of the information is stored in a series of FDB fi les, which are located in the FSE installation directory. This information can also be stored in templates to allow for settings to be copied across servers. The remainder of the information is stored in the registry. This information is usually server specific, and the majority of the settings can be modified through the FSA.
When you are running clustered mailbox servers you should ensure you connect FSA to the Exchange Virtual Machine. The one exception to this is if you need to release quarantined fi les from a passive node. In that case, you should connect FSA directly to the passive node. All configuration information is replicated between the active and passive nodes ensuring that if a failover occurs the configuration information is available.
The Settings section allows you to configure the AV scanning options and server configuration for FSE along with the ability to create new configuration templates.
Throughout this section there will be up to three available Scan Jobs for which you can modify settings. The Scan Jobs available are dependent on the Exchange Roles installed on the server.
If the server is running the Edge Transport or Hub Transport role, the Transport Scan Job will be available. If the server is running the Mailbox Role, the Real Time Scan Job and Manual Scan Job will be available. If you add roles to the server, you will need to re-run the FSE installer for the relevant Scan Jobs to be made available. Scan jobs are automatically removed if you install a role.
The Scan Job section allows you to configure which messages and mailboxes will be processed by the jobs.
For each of the Scan Jobs, you can specify the deletion text that is used when an attachment is removed and replaced with a text fi le containing the specified text.
To allow for e-mail-specific information to be entered, there are a number of keyword substitution macros available.
Keyword substitution macros can be inserted by right-clicking in the Edit Text field and selecting Paste Keyword, and then selecting the Macro to insert.
Transport Scan Job
The Transport Scan Job is used to process messages on servers running the Edge or
Hub Transport Roles. This can be configured to process inbound, outbound and/or internal e-mail. The option to scan internal messages is available on servers running the Edge role, even though Internal mail should not reach the Edge.
The other configurable option is the tag text, which is used when keyword filtering is enabled for the Scan Job. Tag text allows for a subject line text and header tag text to be specified. These are applied to an e-mail when it triggers a keyword match, and the action is set to tag the message.
Real Time and Manual Scan Jobs
The Real Time and Manual Scan Jobs are used to process messages on the servers running he mailbox role. These will process messages that have not previously be scanned. This is particularly important for messages that do not use a hub transport server, including messages in sent items, public folder posts, and calendar messages.
The real time scan processes messages as they are accessed by a client; this is also known as an on access scan. By default, this will only process messages that have never been scanned before and are within a certain time range. This range in the first release of FSE is within the previous 24 hours but can be changed. If you are running FSE for Exchange 2007 Service Pack 1, this value is fixed to be every day since FSE was installed. Settings specified for the real time scan are also used for the background scans.
The manual scan can either be run on a manual basis or on a schedule. This is usually used to scan specific mailboxes or to clean up a mail server after a virus outbreak.
For both of these scans you can configure which mailboxes and public folders are scanned. There are three available options for each:
■ All Scans all current and future mailboxes or public folders
■ None Does not scan any mailboxes or public folders
■ Selected Scans only the selected mailboxes or public folders
If you select Selected you will need to select which mailboxes or public folders to scan:
1. Select Selected.
2. Click on the Mailbox or Public Folder icon.
3. Check the mailboxes or public folders you want to scan; you can select an entire store. If you select a store, then only current mailboxes will be included. Any new mailboxes will eed to be added as required
4. Click on the Back Arrow to exit the Selection List.
5. Click OK to save the changes.
It is recommended that you leave the real time scan set to “All” as this will ensure that messages that have not been scanned are scanned to ensure they do not contain viruses.
With the increasing number of viruses being circulated through e-mail, it is becoming more important to ensure that your FES infrastructure if fully protected against viruses and other threats that threaten your infrastructure.
FSE allows you to virus scan messages as they transit through you FSE infrastructure and when they are in the user’s mailbox, ensuring that your infrastructure remains virus free. In addition to virus scanning, you can also apply fi lters, which allow you to proactively protect against unwanted attachments, along with checking the contents of the messages.
When you are considering deploying FSE, you should carefully plan your deployment to ensure that you do not adversely affect the performance of your Exchange servers and that you do not accidentally delete legitimate messages.
When you start to deploy FES, you should do this out of hours and start with the Edge Transport Servers first, followed by the Hub Transport Servers and then the Mailbox Servers. This helps to ensure that you do not introduce any new viruses to your infrastructure once you have started your deployment.
In order to effectively manage FES across your entire Exchange deployment, you should consider using FSSMC, which allows you to centrally manage the configuration and the quarantine databases.
When deploying security products, it is possible to over-engineer their design and deployment. This can often cause unforeseen issues and a level of complexity that is not always necessary. Your initial deployment should provide the basics for what you require. You should then add additional scanning and filtering as required while ensuring that you do not overload your infrastructure, and that the end user’s experience is not adversely affected.