Module 6

Implementing Messaging Security

Module Overview

• Deploying Edge Transport Servers

• Deploying an Antivirus Solution

• Configuring an Anti-Spam Solution

• Configuring Secure SMTP Messaging

Lesson 1: Deploying Edge Transport Servers

• What Is the Edge Transport Server Role?

• Edge Transport Server Role Infrastructure Requirements

• What Is AD LDS?

• Demonstration: How to Configure Edge Transport Servers

• What Is Edge Synchronization?

• How Internet Message Flow Works

• Demonstration: How to Configure Edge Synchronization

• What Is Cloned Configuration?

• Discussion: Securing Edge Transport Servers

The Edge Transport server role:

What Is the Edge Transport Server Role?

The Edge Transport server role provides:

Internet message delivery

Antivirus and anti-spam protection

Edge transport rules

Address rewriting

Cannot be deployed with any other server role

Should not be a member of the internal Active Directory domain

Should be deployed in a perimeter network

Edge Transport Server Role Infrastructure Requirements

The Edge Transport server:

Must be configured with a Fully Qualified Domain Name

Requires a minimal number of ports opened on the internal and external firewalls

Must be configured with the IP addresses for DNS servers that can resolve DNS names on the Internet

What Is AD LDS?

AD LDS on an Edge Transport server stores:

Schema information

Configuration information

Recipient information

AD LDS is an LDAP directory service that stores information for directory-enabled applicationsAD LDS is an LDAP directory service that stores information for directory-enabled applications

You can use the Exchange Server 2010 tools to perform most of the AD LDS configuration tasksYou can use the Exchange Server 2010 tools to perform most of the AD LDS configuration tasks

Demonstration: How to Configure Edge Transport Servers

In this demonstration, you will:

• Review the Edge Transport server default configuration

What Is Edge Synchronization?

Reasons for implementing Edge Synchronization include:

Simplifying Edge Transport server configuration

Using recipients for transport or filtering rules

Edge Synchronization replicates Active Directory information to AD LDS on Edge Transport serversEdge Synchronization replicates Active Directory information to AD LDS on Edge Transport servers

Edge Synchronization:

Includes configuration and recipient information

Is always initiated by Hub Transport servers

How Internet Message Flow Works

Hub Transport / Client Access / Mailbox Server

Hub Transport / Client Access / Mailbox Server

Edge Transport Server

Edge Transport Server

11

66

55 44

33

22

Demonstration: How to Configure Edge Synchronization

In this demonstration, you will:

• Enable Edge Synchronization

• Test Edge Synchronization

• Configure address rewriting

What Is Cloned Configuration?

To implement cloned configuration, use the:

ExportEdgeConfig script to export configuration information

ImportEdgeConfig script to validate the configuration on the target server, and then create an answer file

ImportEdgeConfig script to import configuration information

Cloned configuration is a process of configuring multiple Edge Transport servers with identical configurationsCloned configuration is a process of configuring multiple Edge Transport servers with identical configurations

Discussion: Securing Edge Transport Servers

• Why is it important to secure Edge transport servers?

• What factors should you consider at the operating system level?

• How do you secure an Edge Transport Server?

Lesson 2: Deploying an Antivirus Solution

• Antivirus Solution Features in Exchange Server 2010

• What Is Forefront Protection 2010 for Exchange Server?

• Forefront Protection 2010 Deployment Options

• Best Practices for Deploying an Antivirus Solution

• Demonstration: How to Install and Configure Forefront Protection 2010 for Exchange Server

Antivirus Solution Features in Exchange Server 2010

Exchange Server 2010 supports:

Using the same VSAPI as is used in Exchange Server 2003 and Exchange Server 2007

Using transport agents to filter and scan messages

Using antivirus stamping to mark each scanned message

Integration with Forefront Protection 2010 for Exchange Server

What Is Forefront Protection 2010 for Exchange Server?

Benefits of Forefront Protection 2010 for Exchange Server include:

• Full support for VSAPI

• Antivirus scan with multiple scan engines

• Microsoft IP Reputation Service

• Automated content filtering updates

• Spam signature updates

• Premium spam protection

Forefront Protection 2010 Deployment Options

You can install Forefront Protection 2010:

• Only on an Edge Transport server or a Hub Transport server

• On an Edge Transport server or a Hub Transport server and a Mailbox server

When installing Forefront Protection 2010, consider:

• The number of scan engines required

• The types of scan engines that should be used

Best Practices for Deploying an Antivirus Solution

When you implement an antivirus solution, you should:

• Implement multiple layers of antivirus such as:

• Firewall or Edge Transport server

• Client

• Exchange server

• Maintain regular antivirus updates

Demonstration: How to Install and Configure Forefront Protection 2010 for Exchange Server

In this demonstration, you will see how to:

• Install Forefront Protection 2010 for Exchange Server

• Configure Forefront Protection 2010 for Exchange Server

• Manage Forefront Protection 2010

Lab A: Configuring Edge Transport Servers and Forefront Protection 2010

• Exercise 1: Configuring Edge Transport Servers

• Exercise 2: Configuring Forefront Protection 2010 for Exchange Servers

Logon information

Estimated time: 45 minutes

Virtual machines10135-VAN-DC1, 10135-VAN-EX1, 10135-VAN-SVR1

User name Administrator

Password Pa$$w0rd

Lab Scenario

You are a messaging administrator in A. Datum Corporation, which is a large multinational organization. Your organization has deployed Exchange Server 2010 internally, and it now wants to extend it so that everybody can send and receive Internet e-mail.

As part of your job responsibilities, you need to set up an Edge Transport server, and then install an antivirus solution to scan all mail.

Lab Review

• When you implement new certificates on your existing Edge Transport server, what do you need to consider?

• Does the Forefront Protection 2010 Suite scan the message multiple times when it is passed over Edge Transport and Hub Transport servers?

Lesson 3: Deploying an Anti-Spam Solution

• Overview of Spam-Filtering Features

• How Exchange Server 2010 Applies Spam Filters

• What Is Sender ID Filtering?

• What Is Sender Reputation Filtering?

• What Is Content Filtering?

• Demonstration: How to Configure Anti-Spam Options

Overview of Spam-Filtering Features

Feature Filters messages based on:

Connection Filtering

The IP address of the sending SMTP server

Content Filtering The message contents

Sender ID The IP address of the sending server from which the message was received

Sender Filtering The Sender in the MAIL FROM: SMTP header

Recipient Filtering The Recipients in the RCPT TO: SMTP header

Sender Reputation Several characteristics of the sender, accumulated over a period of time

Attachment Filtering

Attachment file name, file name extension, or file MIME content type

Exchange Server 2010 Edge Transport serverExchange Server 2010 Edge Transport server

How Exchange Server 2010 Applies Spam Filters

Internet Sender Filtering Sender Filtering

Below SCL Threshold Below SCL Threshold

Outlook Safe Senders List Outlook Safe Senders List

Exceed SCL Threshold

Exceed SCL Threshold

Recipient Filtering Recipient Filtering

Connection Filtering

Connection Filtering

RBLRBL

IP Allow List IP Allow List

IP Block List IP Block List

Content Filtering Content Filtering

Sender ID Filtering Sender ID Filtering

What Is Sender ID Filtering?

Internet

SMTPServer

DNS ServerEdge

Transport Server

Hub Transport

Server

You can configure it to:

• Reject messages and issue an nondelivery report (NDR)

• Delete messages without sending an NDR

• Stamp the messages with the SenderID result, and continue processing

11

33

44

22

Sender ID filtering is a concept in virus protection that was introduced in Exchange Server 2007Sender ID filtering is a concept in virus protection that was introduced in Exchange Server 2007

What Is Sender Reputation Filtering?

The Protocol Analysis agent assigns an SRL that is based on:

• Sender open proxy test

• HELO/EHLO analysis

• Reverse DNS lookup

• Analysis of SCL ratings on messages from a particular sender

Sender Reputation filtering filters messages based on information about recent e-mail messages received from specific senders

Sender Reputation filtering filters messages based on information about recent e-mail messages received from specific senders

What Is Content Filtering?

You can configure content filtering to:

• Delete, reject, or quarantine messages that exceed an SCL value

• Block or allow messages based on a custom word list

• Allow exceptions so that messages sent to specified recipients are not filtered

Content Filtering analyzes the content of each e-mail message and assigns an SCL to the messageContent Filtering analyzes the content of each e-mail message and assigns an SCL to the message

Quarantined messages are sent to a quarantine mailboxQuarantined messages are sent to a quarantine mailbox

Demonstration: How to Configure Anti-Spam Options

In this demonstration, you will see how to:

• Configure Connection Filtering

• Configure Sender and Recipient Filtering

• Configure Sender ID and Sender Reputation Filtering

• Configure Content Filtering

Lesson 4: Configuring Secure SMTP Messaging

• Discussion: SMTP Security Issues

• SMTP E-Mail Security Options

• Demonstration: How to Configure SMTP Security

• What Is Domain Security?

• How Domain Security Works

• Process for Configuring Domain Security

• Demonstration: How to Configure Domain Security

• How S/MIME Works

Discussion: SMTP Security Issues

• What are the SMTP security issues?

• How do you currently secure SMTP?

SMTP E-Mail Security Options

Protocol Layer Purpose

IPSec Network-based Encrypts server-to-server or client-to-server traffic

VPN Network-based Encrypts site-to-site traffic

TLS Session-based Encrypts server-to-server traffic

S/MIME Client-based Encrypts client side e-mail and enables digital signing

SMTP e-mail can be additionally secured by using authentication and authorization on the SMTP connectorSMTP e-mail can be additionally secured by using authentication and authorization on the SMTP connector

Demonstration: How to Configure SMTP Security

In this demonstration, you will see how to:

• Configure an externally secured SMTP Connector

• Configure an SMTP Connector that requires TLS and authentication

What Is Domain Security?

To set up mutual TLS:

• Generate a certificate request for TLS certificates

• Import and enable the certificate on the Edge Transport server

• Configure outbound Domain Security

• Configure inbound Domain Security

Uses mutual TLS with business partners to enable secured message paths over the InternetUses mutual TLS with business partners to enable secured message paths over the Internet

How Domain Security Works

Mail Client

Mail Client

22

11

Process for Configuring Domain Security

To configure Domain Security:

Generate a certificate request for TLS certificates

Import certificate to Edge Transport servers

Configure outbound Domain Security

Configure inbound Domain Security

Notify partner to configure Domain Security

Test mail flow

11

22

33

44

55

66

Demonstration: How to Configure Domain Security

In this demonstration, you will see how to:

• Verify certificate and check Receive connector

• Configure Domain Security

How S/MIME Works

Method Type of Security Provided

Digital signatures Authentication: The message was sent by the person or organization who claims to have sent it

Nonrepudiation: Helps to prevent the sender from disowning the message

Data integrity: Any alteration of the message invalidates the signature

Message encryption Only the intended recipient can view the contents

S/MIME Infrastructure requirements:

• The sender must have a valid certificate installed

• All target addresses must have a public certificate available either locally or in Active Directory

• Can use either an internal or public CA

Lab B: Implementing Anti-Spam Solutions

• Exercise 1: Configuring an Anti-Spam Solution on Edge Transport Servers

Estimated time: 65 minutes

Logon information

Virtual machines10135-VAN-DC1, 10135-VAN-EX1, 10135-VAN-SVR1

User name Administrator

Password Pa$$w0rd

Lab Scenario

After configuring the Edge Transport server and installing an antivirus solution, you must implement an anti-spam solution.

Lab Review

• What anti-spam agents are available in Exchange Server 2010?

• What is the purpose of the SCL threshold?

• What are the possible issues in implementing Domain Security for your partner domains?

Module Review and Takeaways

• Review Questions

• Common Issues and Troubleshooting Tips