10135 b 06
DESCRIPTION
TRANSCRIPT
![Page 1: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/1.jpg)
Module 6
Implementing Messaging Security
![Page 2: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/2.jpg)
Module Overview
• Deploying Edge Transport Servers
• Deploying an Antivirus Solution
• Configuring an Anti-Spam Solution
• Configuring Secure SMTP Messaging
![Page 3: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/3.jpg)
Lesson 1: Deploying Edge Transport Servers
• What Is the Edge Transport Server Role?
• Infrastructure Requirements for the Edge Transport Server Role
• What Is AD LDS?
• Demonstration: How to Configure Edge Transport Servers
• What Is Edge Synchronization?
• How Internet Message Flow Works
• Demonstration: How to Configure Edge Synchronization
• What Is Cloned Configuration?
![Page 4: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/4.jpg)
The Edge Transport server role:
What Is the Edge Transport Server Role?
The Edge Transport server role provides:
Internet message delivery
Antivirus and anti-spam protection
Edge transport rules
Address rewriting
Cannot be deployed with any other server role
Should not be a member of the internal Active Directory domain
Should be deployed in a perimeter network
The Edge Transport server role provides a SMTP gateway that can be used for messaging securityThe Edge Transport server role provides a SMTP gateway that can be used for messaging security
![Page 5: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/5.jpg)
Infrastructure Requirements for the Edge Transport Server Role
The Edge Transport server:
Must be configured with a Fully Qualified Domain Name
Requires a minimal number of ports opened on the internal and external firewalls
Must be configured with the IP addresses for DNS servers that can resolve DNS names on the Internet
![Page 6: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/6.jpg)
What Is AD LDS?
AD LDS on an Edge Transport server stores:
Schema information
Configuration information
Recipient information
AD LDS is an LDAP directory service that stores information for directory-enabled applicationsAD LDS is an LDAP directory service that stores information for directory-enabled applications
You can use the Exchange Server 2010 tools to perform most of the AD LDS configuration tasksYou can use the Exchange Server 2010 tools to perform most of the AD LDS configuration tasks
![Page 7: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/7.jpg)
Demonstration: How to Configure Edge Transport Servers
In this demonstration, you will review the Edge Transport server default configuration
![Page 8: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/8.jpg)
What Is Edge Synchronization?
Edge synchronization replicates Active Directory information to AD LDS on Edge Transport serversEdge synchronization replicates Active Directory information to AD LDS on Edge Transport servers
Edge synchronization:
Includes configuration and recipient information
Synchronizes only changes to the Edge Transport server
Is always initiated by Hub Transport servers
AD DS DatabaseAD DS Database AD LDS DatabaseAD LDS Database
Edge SynchronizationEdge Synchronization
![Page 9: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/9.jpg)
How Internet Message Flow Works
Hub Transport / Client Access / Mailbox Server
Hub Transport / Client Access / Mailbox Server
Edge Transport Server
Edge Transport Server
11
66
55 44
33
22
![Page 10: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/10.jpg)
Demonstration: How to Configure Edge Synchronization
In this demonstration, you will:
• Enable Edge Synchronization
• Test Edge Synchronization
![Page 11: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/11.jpg)
What Is Cloned Configuration?
To implement cloned configuration, use the:
ExportEdgeConfig script to export configuration information
ImportEdgeConfig script to validate the configuration on the target server, and then create an answer file
ImportEdgeConfig script to import configuration information
Cloned configuration is a process of configuring multiple Edge Transport servers with identical configurationsCloned configuration is a process of configuring multiple Edge Transport servers with identical configurations
If you use any transport rules, ensure that you copy them separately by using the Export-TransportRuleCollection cmdletIf you use any transport rules, ensure that you copy them separately by using the Export-TransportRuleCollection cmdlet
![Page 12: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/12.jpg)
Lesson 2: Deploying an Antivirus Solution
• Antivirus Solution Features in Exchange Server 2010
• What Is Forefront Protection 2010 for Exchange Server?
• Deployment Options for Forefront Protection 2010
• Best Practices for Deploying an Antivirus Solution
• Demonstration: How to Install and Configure Forefront Protection 2010 for Exchange Server
![Page 13: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/13.jpg)
Antivirus Solution Features in Exchange Server 2010
Exchange Server 2010 supports:
Using the same VSAPI as is used in Exchange Server 2003 and Exchange Server 2007
Using transport agents to filter and scan messages
Using antivirus stamping to mark each scanned message
Integration with Forefront Protection 2010 for Exchange Server
![Page 14: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/14.jpg)
What Is Forefront Protection 2010 for Exchange Server?
Benefits of Forefront Protection 2010 for Exchange Server include:
• Full support for VSAPI
• Antivirus scan with multiple scan engines
• Microsoft IP Reputation Service
• Automated content filtering updates
• Spam signature updates
• Premium spam protection
Forefront Protection 2010 for Exchange Server is a separate antivirus software package that can be integrated with Exchange Server 2010
Forefront Protection 2010 for Exchange Server is a separate antivirus software package that can be integrated with Exchange Server 2010
![Page 15: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/15.jpg)
Deployment Options for Forefront Protection 2010
You can install Forefront Protection 2010:
• Only on an Edge Transport server or a Hub Transport server
• On an Edge Transport server or a Hub Transport server and a Mailbox server
When installing Forefront Protection 2010, consider:
• The number of scan engines required
• The types of scan engines that should be used
![Page 16: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/16.jpg)
Best Practices for Deploying an Antivirus Solution
When you implement an antivirus solution, you should:
• Implement multiple layers of antivirus such as:
• Firewall or Edge Transport server
• Client
• Exchange server
• Maintain regular antivirus updates
![Page 17: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/17.jpg)
Demonstration: How to Install and Configure Forefront Protection 2010 for Exchange Server
In this demonstration, you will see how to:
• Install Forefront Protection 2010 for Exchange Server
• Configure Forefront Protection 2010 for Exchange Server
• Manage Forefront Protection 2010 for Exchange Server
![Page 18: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/18.jpg)
Lab A: Configuring Edge Transport Servers and Forefront Protection 2010 for Exchange Server
• Exercise 1: Configuring Edge Transport Servers
• Exercise 2: Configuring Forefront Protection 2010 for Exchange Server
Logon information
Estimated time: 45 minutes
![Page 19: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/19.jpg)
Lab Scenario
You are a messaging administrator in A. Datum Corporation, which is a large multinational organization. Your organization has deployed Exchange Server 2010 internally, and it now wants to extend it so that everybody can send and receive Internet email.
As part of your job responsibilities, you need to set up an Edge Transport server, and then install an antivirus solution to scan all mail.
![Page 20: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/20.jpg)
Lab Review
• When you implement new certificates on your existing Edge Transport server, what do you need to consider?
• Does Forefront Protection 2010 for Exchange Server scan the message multiple times when it is passed over Edge Transport and Hub Transport servers?
![Page 21: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/21.jpg)
Lesson 3: Deploying an Anti-Spam Solution
• Overview of Spam-Filtering Features
• How Exchange Server 2010 Applies Spam Filters
• What Is Sender ID Filtering?
• What Is Sender Reputation Filtering?
• What Is Content Filtering?
• Demonstration: How to Configure Anti-Spam Options
![Page 22: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/22.jpg)
Overview of Spam-Filtering Features
Feature Filters messages based on:
Connection Filtering
The IP address of the sending SMTP server
Content Filtering The message contents
Sender ID The IP address of the sending server from which the message was received
Sender Filtering The Sender in the MAIL FROM: SMTP header
Recipient Filtering The Recipients in the RCPT TO: SMTP header
Sender Reputation Several characteristics of the sender, accumulated over a period of time
Attachment Filtering
Attachment file name, file name extension, or file MIME content type
![Page 23: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/23.jpg)
Exchange Server 2010 Edge Transport serverExchange Server 2010 Edge Transport server
How Exchange Server 2010 Applies Spam Filters
Internet Sender Filtering Sender Filtering
Below SCL Threshold Below SCL Threshold
Outlook Safe Senders List Outlook Safe Senders List
Exceed SCL Threshold
Exceed SCL Threshold
Recipient Filtering Recipient Filtering
Connection Filtering
Connection Filtering
RBLRBL
IP Allow List IP Allow List
IP Block List IP Block List
Content Filtering Content Filtering
Sender ID Filtering Sender ID Filtering
![Page 24: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/24.jpg)
What Is Sender ID Filtering?
Internet
SMTPServer
DNS ServerEdge
Transport Server
Hub Transport
Server
You can configure it to:
• Reject messages and issue an nondelivery report (NDR)
• Delete messages without sending an NDR
• Stamp the messages with the SenderID result, and continue processing
11
33
44
22
Sender ID filtering is a concept in virus protection that was introduced in Exchange Server 2007Sender ID filtering is a concept in virus protection that was introduced in Exchange Server 2007
![Page 25: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/25.jpg)
What Is Sender Reputation Filtering?
The Protocol Analysis agent assigns an SRL that is based on:
• Sender open proxy test
• HELO/EHLO analysis
• Reverse DNS lookup
• Analysis of SCL ratings on messages from a particular sender
Sender Reputation filtering filters messages based on information about recent email messages received from specific senders
Sender Reputation filtering filters messages based on information about recent email messages received from specific senders
![Page 26: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/26.jpg)
What Is Content Filtering?
You can configure content filtering to:
• Delete, reject, or quarantine messages that exceed an SCL value
• Block or allow messages based on a custom word list
• Allow exceptions so that messages sent to specified recipients are not filtered
Content Filtering analyzes the content of each email message and assigns an SCL to the messageContent Filtering analyzes the content of each email message and assigns an SCL to the message
Quarantined messages are sent to a quarantine mailboxQuarantined messages are sent to a quarantine mailbox
![Page 27: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/27.jpg)
Demonstration: How to Configure Anti-Spam Options
In this demonstration, you will see how to:
• Configure Connection Filtering
• Configure Sender and Recipient Filtering
• Configure Sender ID and Sender Reputation Filtering
• Configure Content Filtering
![Page 28: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/28.jpg)
Lesson 4: Configuring Secure SMTP Messaging
• Discussion: SMTP Security Issues
• SMTP Email Security Options
• Demonstration: How to Configure SMTP Security
• What Is Domain Security?
• How Domain Security Works
• Process for Configuring Domain Security
• Demonstration: How to Configure Domain Security
• How S/MIME Works
![Page 29: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/29.jpg)
Discussion: SMTP Security Issues
• What are the SMTP security issues?
• How do you currently secure SMTP?
![Page 30: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/30.jpg)
SMTP Email Security Options
Protocol Layer Purpose
IPSec Network-based Encrypts server-to-server or client-to-server traffic
VPN Network-based Encrypts site-to-site traffic
TLS Session-based Encrypts server-to-server traffic
S/MIME Client-based Encrypts client side email and enables digital signing
SMTP email can be additionally secured by using authentication and authorization on the SMTP connectorSMTP email can be additionally secured by using authentication and authorization on the SMTP connector
![Page 31: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/31.jpg)
Demonstration: How to Configure SMTP Security
In this demonstration, you will see how to:
• Configure an externally secured SMTP Connector
• Configure an SMTP Connector that requires TLS and authentication
![Page 32: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/32.jpg)
What Is Domain Security?
To set up mutual TLS:
• Generate a certificate request for TLS certificates
• Import and enable the certificate on the Edge Transport server
• Configure outbound Domain Security
• Configure inbound Domain Security
Uses mutual TLS with business partners to enable secured message paths over the InternetUses mutual TLS with business partners to enable secured message paths over the Internet
![Page 33: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/33.jpg)
How Domain Security Works
Mail Client
Mail Client
22
11
![Page 34: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/34.jpg)
Process for Configuring Domain Security
To configure Domain Security:
Generate a certificate request for TLS certificates
Import certificate to Edge Transport servers
Configure outbound Domain Security
Configure inbound Domain Security
Notify partner to configure Domain Security
Test mail flow
11
22
33
44
55
66
![Page 35: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/35.jpg)
Demonstration: How to Configure Domain Security
In this demonstration, you will see how to:
• Verify certificate and check Receive connector
• Configure Domain Security
![Page 36: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/36.jpg)
How S/MIME Works
Method Type of Security Provided
Digital signatures Authentication: The message was sent by the person or organization who claims to have sent it
Nonrepudiation: Helps to prevent the sender from disowning the message
Data integrity: Any alteration of the message invalidates the signature
Message encryption Only the intended recipient can view the contents
S/MIME Infrastructure requirements:
• The sender must have a valid certificate installed
• All target addresses must have a public certificate available either locally or in Active Directory
• Can use either an internal or public CA
![Page 37: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/37.jpg)
Lab B: Implementing Anti-Spam Solutions
• Exercise 1: Configuring an Anti-Spam Solution on Edge Transport Servers
Estimated time: 65 minutes
Logon information
![Page 38: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/38.jpg)
Lab Scenario
After configuring the Edge Transport server and installing an antivirus solution, you must implement an anti-spam solution.
![Page 39: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/39.jpg)
Lab Review
• What anti-spam agents are available in Exchange Server 2010?
• What is the purpose of the SCL threshold?
• What are the possible issues in implementing Domain Security for your partner domains?
![Page 40: 10135 b 06](https://reader033.vdocuments.site/reader033/viewer/2022061111/5455a3bdaf7959d2368b7e12/html5/thumbnails/40.jpg)
Module Review and Takeaways
• Review Questions
• Common Issues and Troubleshooting Tips