Forefront Protection for Exchange: An Overview
There are many choices being made in the Enterprise IT space today when it comes to Secure Messaging. As your organization charts its course which could vary from anything like a cloud offering such as Office 365 or Google Apps, to an on-premises Exchange 2010 Enterprise deployment, an important consideration is how the content is being protected, filtered and scanned. Many organizations have built up a large stack of tools to provide anti-spam, anti-virus, reputation analysis, as well as all sorts of other capabilities in their current environment. These solutions can add complexity and additional cost to a messaging environment. A new deployment of Exchange is a perfect opportunity to stop and look at the big picture, but an in-place upgrade or replacement of messaging security products may make sense as well. With that in mind, this month we’ll take a look at Microsoft’s Forefront Protection for Exchange (FPE) 2010. The name of the product is somewhat misleading, as there are versions of the product to support Exchange environments anywhere from Exchange 2003 to Exchange 2010, so don’t stop reading just because you’re not on the latest and greatest Exchange.
Why Forefront Protection for Exchange?
Forefront Protection for Exchange (FPE) 2010 is based on technology that Microsoft acquired six years ago from a company called Sybari. They’ve integrated it into their Microsoft product line and solutions architected by Microsoft partners for new Exchange deployments and Exchange migrations often include FPE. Microsoft has also done a great job of incorporating FPE into a number of product suites and licensing vehicles, including the Forefront Protection Suite, the Enterprise Client Access License (CAL) Suite and the Exchange Enterprise Client Access License. In short, it’s likely that most enterprise organizations already have access to FPE through an existing licensing vehicle. Since you might already have FPE, this in itself is a compelling reason to consider FPE. FPE can also be obtained by itself if an organization does not have one of these packages already.
FPE provides a better mousetrap for anti-virus and anti-spam for Exchange. The basic premise for use of FPE is that it offers 5 engines for use inside of the product, which can be mixed and matched or even deployed in parallel for a more ‘defense in depth’ approach to securing content. In comparison, other products offer a single scan engine to analyze and remove e-mail containing malicious content for Exchange. These single scan products can be viewed as a ‘single point of failure’. By limiting your Exchange environment by only using a single anti-virus vendor (with a single engine) in multiple locations (client, e-mail, gateway, etc.), a large blind spot still exists when trying to protect against late breaking zero-day attacks..
Forefront Protection for Exchange: Features and Functionality
FPE is natively built for the Windows Server platform; installation and initial configuration of the product was a breeze. The installer experience and the UI is very familiar and comfortable for anyone that’s used to working with the common Microsoft server and tools product interface (See Figure 1).
Another benefit for FPE is the support due to the fact that you already have Microsoft Exchange, Server, etc. This benefit means that you will not have to spend any money on support, which you most likely are having to do with your current third-party solution. Also, since the same support specialist knows both FPE and Exchange, you will have a unified front for getting your problems solved more efficiently.
Figure 1: FPE 2010 Console View. Source: wardvissers.nl
Of course, FPE also offers a number of core features, including anti-spam and anti-virus protection. FPE builds on top of the base anti-spam capability that’s integrated into Exchange. If you have had to use a third party solution due to the limited functionality of Exchange anti-spam alone, you might find the FPE multi-tier solution sufficient enough to eliminate your third party solution. The FPE multi-tiered strategy for anti-spam looks like this:
- 99% detection rate with 1:250,000 false positive rate (these numbers are verified by West Coast Labs, an independent testing group). For example, this level will has detected spam messages ranging from pharmaceuticals to money laundering scams that were gathered in a Hotmail mailbox were handily detected by this signature-based filtering.
- Additional innovation like DNS block list support, backscatter filtering and other anti-spam capabilities that have been sorely missing from the base Exchange anti-spam portfolio.
- FPE has added real-time from Cloudmark. This is an extremely sophisticated spam filtering engine that incorporates a number of heuristics and signature-based detection methods to identify spam.
With this combination of features, you will most likely find that there is no difference in spam detection between FPE with or without an additional anti-spam appliance. See Figure 2 for configuration options available in FPE.
Figure 2: Forefront Protection for Exchange anti-spam configuration
FPE also provides attachment filtering, enforcing inbound and outbound e-mail policies. It has the ability to inspect archive files and enforce policy with them as well. The granular control of applying policies to just inbound, just outbound or both inbound and outbound flowing mail comes in handy. Also, FPE has the ability to filter and scan content based on MIME (multipurpose Internet Mail Extensions) type as well as by actual file name; this allows for filtering of an MP3 file that’s renamed to a TXT file, for example. FPE also has the ability to delete encrypted archive files if the administrator so chooses since it cannot open them and inspect them for policy violations or potential malware.
You will want to install FPE on every Exchange server you have! You have three different options for FPE during installation:
- Edge Transport Role - This role sits on the network edge and provides inbound and outbound SMTP services for an organization. The Edge Transport role of Exchange/FPE typically does not reside in an Active Directory domain and has a minimized footprint to reduce attack surface. With 5 engines enabled on the Edge Transport, this role will ideally strip out the majority of the malware and inappropriate content coming into the environment.
- Hub Transport Role – This role provides internal routing services between Exchange users sending or receiving mail. Even two internal users sending mail to each other will have their mail pass through a Hub Transport Role. With 3 or 4 engines enabled on the Hub Transport, this role will ideally catch any internal policy violations or perhaps malware that’s attempting to propagate internally.
- Mailbox Role. - This role provides Exchange mailbox services for Outlook clients to interact with. The Mailbox role is often the most heavily utilized in an Exchange environment; as a result, perhaps 1 or 2 engines enabled on the Mailbox will provide for a solid baseline of protection without impacting client performance in a perceptible way.
Since the Unified Messaging and Client Access server roles do not process mail, FPE is not required on those roles. FPE can be tuned precisely in your environment and Microsoft provides a lot of guidance on specific scenarios in the Forefront Protection for Exchange User Guide. I recommend that you filter with all 5 engines at the Edge Transport, 3 or 4 engines on the Hub Transport and 1 or 2 engines on the Mailbox role. Since the scanning jobs are different for in-transit mail versus mail at rest in the Information store, it’s important to do performance tuning and measuring; in one virtualized Exchange instance FPE was able to tax the environment by enabling all 5 engines with real-time mailbox scanning turned on. Allocating another 2GB (4GB total) to the environment seemed to improve things marginally.
Forefront Protection for Exchange is a very solidly built product; it feels polished and has the ability to be managed at scale with the Forefront Protection Security Management Console as well. It performs well from a performance and accuracy perspective. The ability to scan with multiple engines, provide complex filtering of content (files and message content) and enhance anti-spam protection in one package provides a real bang for the buck with performance and value. Definitely consider evaluating FPE as part of your new Exchange 2010 deployment or integrating it into an existing Exchange environment, particularly if it’s already a component you already own in your Microsoft licensing portfolio.