Configuring and using the E-Mail protection feature in Microsoft Forefront Threat Management Gateway Beta 2 (Part 2)

If you would like to be notified when Marc Grote releases the next part of this article series please sign up to the ISAServer.org Real time article update newsletter.

If you would like to read the first part in this article series please go to Configuring and using the E-Mail protection feature in Microsoft Forefront Threat Management Gateway Beta 2 (Part 1).

Note:
Keep in mind that the information in this article are based on a beta version of Microsoft Forefront TMG and are subject to change.


Get your copy of the German language “Microsoft ISA Server 2006 – Das Handbuch”

Introduction

A few months ago, Microsoft released Beta 2 from Microsoft Forefront TMG (Threat Management Gateway), which has a lot of new exiting features.

In this second article, I will show you how Microsoft Forefront TMG acts as an Anti-virus and file filtering gateway.

Let us begin

Microsoft Forefront TMG is the first Microsoft Firewall with integrated SMTP proxy functionality and own Anti-virus and Anti-spam functionality. TMG integrates the Exchange Server 2007 Edge Server component which provides most of the Anti-Spam functionality. In addition to the Anti-Spam functionality, TMG also scans e-mail traffic for viruses with a multi-engine antivirus solution where message content is scanned with up to 5 different engines based on Microsoft Forefront Security solutions.

Microsoft Forefront TMG has a new policy node called e-mail policy where all Anti-Spam, Anti-Virus and SMTP route settings are configured as you can see in the following screenshot.


Figure 1: Virus and Content Filter settings

File Filtering

Let us start with the File Filtering settings in Microsoft Forefront TMG. With TMG it is much easier to filter files based on file extension, MIME type and entire file name. It is possible to globally enable or disable File Filtering in Forefront TMG as you can see in the following picture.


Figure 2: Enable File Filtering

The first step that has to be taken is to give a name to the Filter and to configure the action if a filter matches your policy. It is also possible to specify if you want to scan inbound and/or outbound messages. 


Figure 3: General filter settings

Actions for messages matching this filter:

Delete – Deletes the file attachment. The detected file attachment is removed from the message.

Identify –
Tags the subject line or message header of the detected message with a customizable word or phrase so that it can be identified later for processing into folders by user inboxes.

Purge – Deletes the message from your mail system.

Skip – Records the number of messages that meet the filter criteria, but enables messages to route normally. After the action for message filtering has been selected, you must select the file types you want to filter in messages.





Figure 4: Filter by file type

It is also possible to filter by custom file names. In the following screenshot, I filtered in order to find a file called dangerous.exe.


Figure 5: Filter by file name

Message Body Filter

Another option in Microsoft Forefront TMG is to filter content of messages based on keywords in the message body. It is possible to enable and to disable this feature. The filter actions are the same as for the file filter setting feature.


Figure 6: Message Body filtering

Next, you have to specify keywords that you want to filter (if TMG finds these keywords in the message body).


Figure 7: Filter special keywords

Antivirus configuration

Antivirus settings can also be enabled or disabled globally in Microsoft Forefront TMG and it is possible to select up to five Anti Virus scan engines. The Anti Virus scan engines and the technique behind this feature are based on Microsoft forefront Security products.

For a good scanning result you should select at least two Anti Virus scan engines. The more scan engines you select, the scan results will be better, but if you select more Anti Virus scan engines, the Server performance could be negative effected.


Figure 8: Select Anti Virus scan engines

It is possible to let TMG select the Anti Virus scan engines based on an Intelligent Engine Selection Policy. The default setting is to scan with a subset of selected engines which are available.

When a virus was found, TMG Administrators can select if the process should skip the scanned message, try to clean the attachment or to remove (delete) the infection. To inform the message recipient, it is possible to send a customized notification message to the recipient.


Figure 9: Configure actions when a virus was found

Antivirus options

It is possible to configure several Antivirus scanning options. One of the important ones is to select if doc files should be scanned as containers. This option configures the Antivirus scan to scan .doc files and any other files that use structured data and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. This setting is disabled by default.

It is also possible to configure a scanning and a container scanning download timeout which is by default 300 seconds for the scanning timeout and 120 seconds for the container scanning timeout.

For security reasons it is possible to configure an action to delete messages if the scanning process runs into a timeout.

If TMG found illegal MIME headers you can specify additional actions.


Figure 10: Anti Virus filter settings

Messages are always purged by default if the message body is deleted. For performance reasons, TMG does not re-scan messages after the filtering actions are applied.

Conclusion

In this second part of this article series, I gave you an overview about how Microsoft Forefront Threat Management Gateway uses its Antivirus capabilities some content features. With these new features of Microsoft Forefront TMG and the other robust ISA Server 2006 capabilities, TMG is more powerful than ISA Server 2006 and is prepared for modern threats.

Related links

If you would like to be notified when Marc Grote releases the next part of this article series please sign up to the ISAServer.org Real time article update newsletter.

If you would like to read the first part in this article series please go to Configuring and using the E-Mail protection feature in Microsoft Forefront Threat Management Gateway Beta 2 (Part 1).

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top