Setting up Microsoft Forefront Online Security for Exchange (FOSE) Hosted Filtering And
Total Page:16
File Type:pdf, Size:1020Kb
Setting Up Microsoft® Forefront Online Security for Exchange (FOSE) Hosted Filtering and Exchange Hosted Archive 8.1
Welcome to Microsoft® Forefront Online Security for Exchange (FOSE) Hosted Filtering and Exchange Hosted Archive (EHA) services. This document will guide you through setting up the FOSE and EHA services, including how to configure the services and best practices. The following illustrations show how the services work with your corporate network to provide filtering and archiving of your corporate communications.
Log On to the Services You must log on to access your filtering and archive services, and the Administration Center where you configure your services. To log on to your services: 1. In your Internet browser, enter the link provided when you signed up for the services, provided in the Service Activation Instruction/Next Steps e-mail. 2. When prompted, set your password, and click Enter. You are now logged on. Checklists
The following checklists summarize the steps in the following sections. If you have only signed up for the Hosted Archive service, skip to Section Three. Section One: Set Up Exchange Hosted Filtering Complete Date Step Description 1 Add Your Domains to Exchange Hosted Filtering and Archive Services 2 Validate Your Domains 3 Set Up Outbound E-mail Filtering 4 Update the MX Record for your Domains 5 Restrict Incoming E-mail to E-mail Sent from the Hosted Filtering Service 6 Set Up E-mail Deferral Notification Alerts
Section Two: Exchange Hosted Filtering Best Practices Complete Date No. Description 1 Recommended Network Connection Settings 2 SPF Record Settings for Outbound E-mail Filtering 3 User List Source 4 Security: IP Restrictions 5 Security: Password Policies 6 Spam Filtering 7 Spam Filter 8 False Positive Submissions 9 Policy Filter: Phishing and Spoofing Prevention 10 Policy Filter: Extension Blocking
Section Three: Set Up Exchange Hosted Archive Complete Date Step Description 7 Confirm Domains 8 Set Up All User Accounts in Hosted Archive 9 Configure Archived Message Retention Periods 10 Set Up Bloomberg Capture (Optional) 11 Set Up Instant Messaging (IM) Message Capture (optional) 12 Configure Journaling on Your Exchange Server 13 Activate Your Hosted Archive 14 Request a Letter of Attestation Section One: Set up Exchange Hosted Filtering
If you have only subscribed to the Hosted Archive service, skip to Section Three.
Step 1: Add your Domains to Exchange Hosted Filtering and Archive Services To add your domains: 1. Sign on to the service, and make sure you are in the Administration Center. To go to the Administration Center, on the upper-right, click your sign-on name and then click Administration. 2. Click the Administration tab. Some of the Company settings are preconfigured based on the information you provided when you signed up. Review this information and make any changes needed to set up your company. 3. Under the Administration tab, there is a set of subtabs for Administration. Click the Domains subtab. 4. In the Tasks pane in the upper right, click Add Domains. 5. Check that the domains you want to use the service are all listed. If you need to add a domain: a. In the Add New Domains dialog box, enter the names of one or more domains that you want to add to the service. To use the settings from an existing domain, under Choose an existing Domain as template, enter the domain name. b. Click OK to add the domain to the service.
Step 2: Validate Your Domains Each domain using the services must be validated and enabled. To validate a domain: 1. Sign on to the service, and make sure you are in the Administration Center. To go to the Administration Center, on the upper-right, click your sign-on name and then click Administration. 2. On the Administration tab, click the Domains subtab. 3. In the Domains list, click the domain you want to validate. To search for the domain, enter the name of the domain in the search box and click Go. The domain details page will open. 4. In the Tasks pane, click Validate Domain. The Validate Domain dialog box displays the information you need to create the CNAME entry in your Domain Name System (DNS) that will allow the service to validate your domain. For example:
Associated Domain: contoso.com (your domain) Alias (sub domain): 1955b1ad-cec0-4115-8041-ad91fd2d5a34 (GUID) Resource Record Type: CNAME Associated Domain: admin.messaging.microsoft.com. (hostname) Note: You can copy this information and then click Cancel and come back later if necessary.
5. In your domain’s DNS record, or in your ISP domain's DNS settings, edit the CNAME entry and add the GUID and hostname for each domain to the CNAME. If you have questions on how to add the CNAME, contact your DNS provider.
Note: Be sure to include the period included at the end of the hostname when you add it to your domain's DNS record.
6. Allow enough time for the DNS changes to propagate, and then return to the Validate Domain dialog box and click Start to begin the validation process. When you receive a message that the domain has been validated, it is automatically enabled. Note: Propagation of domain DNS changes across all DNS servers on the Internet can take from a couple of minutes up to 72 hours. If the DNS CNAME validation fails, wait a little longer and then try again. If the domain validation is still failing after 72 hours, please check your domain's CNAME entry to verify that the GUID and hostname are correct. If you have verified the entry and the validation is still failing, please contact Microsoft Technical Support for help.
7. Repeat these steps for all domains using the services.
Step 3: Set Up Outbound E-Mail Filtering The next step is to set up your e-mail server so that all outbound e-mail is also filtered. This step sends all outbound e-mail through the Hosted Filtering service to be scanned for viruses, matches to Policy Filter rules, and spam characteristics before it is sent. To set up outbound e-mail filtering: 1. Ensure that the outbound domains you are using are not being used as open relays. For more information, see Securing Your Exchange Server (http://go.microsoft.com/fwlink/?LinkId=165541). 2. Configure your e-mail server to direct all outbound e-mail to mail.messaging.microsoft.com. 3. Add all network IP addresses and domains that you will be sending e-mail from to the Hosted Filtering service using the Microsoft Forefront Online Security for Exchange Administration Center. Because outbound access through the Hosted Filtering service network is IP-restricted and domain- restricted, you must do this for each IP address and domain to ensure that it is filtered.
How the Outbound Filtering Service Works
Outbound e-mail from domains listed in the Administration Center is delivered by one of the IP addresses in the Outbound Pool. E-mail classified as possible junk is delivered, but through a separate pool of IPs, known as the Higher Risk Delivery Pool. In this way, if an IP in the Higher Risk Delivery Pool is added to a third-party block list, the delivery of junk e-mail generated by compromised machines or improperly configured domains may be affected, but legitimate e-mail flow is not affected. This filtering process helps reduce the risk of spam being sent from the Hosted Filtering service, which could lead to some of the outbound IP addresses of the Hosted Filtering service being blocked by companies and by third-party security organizations. Important If your outbound IP address is found to be sending spam, the service may disable it to protect the rest of the network until the problem is resolved.
Step 4: Update the MX Record for Your Domains To activate the service, you must update your MX record in your domain’s DNS record. To update your MX Record: In your domain’s DNS record, or in your ISP domain's DNS settings, edit the MX record for your domains to mail.messaging.microsoft.com. If you have questions on how to change the MX record, contact your DNS provider. Important: Do not resolve mail.messaging.microsoft.com to an IP address. For optimal performance, this address should be your only MX record.
Step 5: Restrict Incoming E-mail to E-mail Sent from the Hosted Filtering Service Important: Wait 72 hours after changing your MX record to allow the service activation to fully propagate across the Internet.
To restrict incoming e-mail: 1. In the Administration Center, click the Information tab, and then in the Welcome pane, click the Configuration tab. 2. Under IP addresses to configure on your firewall, copy or note the Hosted Filtering Service IP addresses that are listed. 3. On your firewall or mail servers, restrict inbound port-25 SMTP traffic to only accept e-mail from the IP addresses noted above. For information on how to restrict traffic, see your firewall or mail server documentation. After this step is complete, your mail servers will only be receiving e-mail from the Hosted Filtering service data centers. Step 6: Set Up E-mail Deferral Notification Alerts Deferral notification alerts inform administrators if inbound e-mail is being deferred. If the Hosted Filtering service servers cannot connect to your mail servers to deliver incoming e-mail, the service automatically queues e-mail for later delivery, and alerts the addresses you provide in the deferral notification alert settings. To set up e-mail deferral notification alerts: 1. On the Administration tab, click the Domains tab. 2. Click the name of the domain that you want to modify. 3. In the Notification Settings pane, in the bottom left of the domain details page, next to Deferral Notifications, click Activate (or Edit). 4. In the Number of deferrals before notification box, type the number of messages that can be deferred before a deferral notification is sent. For example, if you enter 300 in this box, then 300 messages can be deferred before a deferral notification is sent. 5. In the Administrator e-mail address box, type an e-mail address not in the affected domain where you want deferral notifications sent. Note: For each domain in your company, you can set up multiple SMTP addresses to receive e-mail notifications of delivery delays for e-mail destined for your domain. Each entry can have its own individual threshold settings. These SMTP addresses must be for domains outside of the domain being configured.
The following examples show how to set the threshold limit and alert scope for the deferral notification alert settings: Notification 1: threshold=100, alert = network administrator
Notification 2: threshold=500, alert = operations manager
Notification 3: threshold=1000, alert = operations distribution list 6. Click Save. Section Two: Hosted Filtering Best Practices
1. Recommended Network Connection Settings The Hosted Filtering service has been configured with connection restrictions to protect itself from malicious attacks. To optimize your server for communication success, we recommend that the settings on the SMTP server be configured with a connection time out of 60 seconds. After your firewall rules have been restricted to only allow inbound SMTP connections from the IP addresses used by the Hosted Filtering service, we recommend that the SMTP server be configured to accept the highest number of concurrent inbound connections from the service which you feel comfortable with. If the server is sending outbound e-mail through the Hosted Filtering service, we also recommend that the server be configured to send no more than 50 messages per connection and to use fewer than 50 concurrent connections. Under normal circumstances, these settings will help ensure that the server has smooth and continuous data transfer to the service.
2. SPF Record Settings for Outbound E-mail Filtering SPF is used to prevent unauthorized use of a domain name when sending e-mail communications (a technique also known as "spoofing") by providing a mechanism to validate sending hosts. For domains sending outbound through the filtering network, you must include "spf.messaging.microsoft.com" in your SPF record as well as your individual outbound mail server IP addresses. Note: These instructions are only valid for domains sending e-mail outbound through the filtering network.
Because SPF is used to validate that a given IP address is authorized to send mail for a given domain, the outbound IP addresses for the filtering network also must be included in the SPF record. The easiest way to add the entire set of IPs is to use the "include: spf.messaging.microsoft.com" statement in your SPF record. In addition to this, you will also want to list all of your outbound mail server IP addresses. These IP addresses are required to ensure mail delivery to other clients of FOSE. Each IP address should be added via an ip4: statement. For example, to include "127.0.0.1" as an accepted outbound sending IP you would add "ip4:127.0.0.1" to your SPF record. If you know all of the authorized IPs, add them using the – all (Fail) qualifier. If you are not sure that you have the complete list of IPs, then you should use the ~all (SoftFail) qualifier. Example: Contoso.com has three outbound mail servers as follows: 127.0.0.1 127.0.0.2 127.0.0.3 Contoso's original SPF record looked like this:
"v=spf1 ip4:127.0.0.1 ip4:127.0.0.2 ip4:127.0.0.3 -all" After routing mail through FOSE, Contoso's SPF record looks like this:
"v=spf1 include:spf.messaging.microsoft.com ip4:127.0.0.1 ip4:127.0.0.2 ip4:127.0.0.3 -all"
3. User List Source All domains entered into the Administration Center should be configured in such a way that the User List source is the Directory Synchronization Tool. The free Directory Synchronization Tool is the best way to securely synchronize selected data between an on-premise Active Directory and the Forefront Online Security for Exchange (FOSE) and Exchange Hosted Archive (EHA) services. After the Directory Synchronization Tool (DST)(http://go.microsoft.com/fwlink/?LinkId=165363), has been downloaded, a list of users (and their e-mail addresses) can be uploaded via the DST to the Hosted Filtering service network. The uploaded list of users can then be used for Directory Based Edge Blocking (by setting the domain’s Directory Based Edge Blocking to Reject mode), or for Spam Quarantine access. Customers who do not have a Microsoft Windows Active Directory environment can set the User List source to Admin Center or Secure FTP.
4. Security: IP Restrictions Access to the subscribed services can be restricted to users connecting to the Web sites from specified IP addresses. Access from other IP addresses would not be allowed with this configuration, which minimizes the probability of unauthorized access. IP restriction settings are available at the company scope, at the domain scope, and at the user scope.
5. Security: Password Policies Strong passwords should be used at all times and for all accounts, especially administrator accounts. Strong passwords require lowercase and uppercase letters, numbers, and special characters (such as ?, !, @, and $), and should be set to expire frequently, such as every 3, 4, or 6 months.
6. Spam Filter The following ASF options are recommended to be enabled in addition to the basic spam filtering settings: Images from remote sites
Numeric IP in URL Empty messages These rules may be added to increase spam blocking above 95% with little risk to increasing false positives. Important: For customers with high spam percentages, we recommend that you first test these rules before implementing them in your production environment.
Additional spam filtering (ASF) options are also available. Consider enabling these options in Test mode to identify additional aggressive spam options. These additional options will help maximize spam blocking, based upon your environment. You should submit any spam that gets through to your inbox to the Hosted Filtering service Spam Team at [email protected] for review. You can also allow your end users to install the Junk E-mail Reporting Tool for use with Microsoft® Office Outlook®. The Junk E-mail Reporting Tool enables the end user to quickly submit junk e-mail messages to [email protected] for analysis to improve junk e-mail filtering effectiveness. The Junk E-mail Reporting Tool can be downloaded from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=165364). It is also possible to configure your domain to display the download link for the Junk E-mail Reporting Tool so that end users see it when they sign into the Quarantine Web site.
7. False Positive Submissions The vast majority of messages submitted as false positives are indeed spam messages that were accurately filtered, but are still wanted by the intended recipients. To gain insight into the type and number of messages reported to the Hosted Filtering service as false positives, administrators should configure the false positive submission copy feature of the spam filter to provide them with a copy of the messages for review. Important: Prior to sending a false positive submission, end users must either sign in to the Quarantine Web site to view the message or salvage the message to view it, and then forward it to [email protected].
False positive messages must be submitted by forwarding the entire message and all Internet headers to the false_positive mailbox.
8. Policy Filter: Phishing and Spoofing Prevention The policy filter can be used to defend corporate networks from e-mail attacks and protect end users’ confidential information. Additional anti-phishing protection can be accomplished through the detection of personal information in e-mails exiting the organization. The following regular expressions, for example, can be used to detect transmission of personal financial data or information that may compromise privacy. /d/d/d/d/ /d/d/d/d/ /d/d/d/d /d/d/d/d (MasterCard, Visa) /d/d/d/d /d/d/d/d/d/d /d/d/d/d/d/d (American Express) /d/d/d/d/d/d/d/d/d/d/d/d/d/d/d/d (Any 16 digit number) /d/d/d/-/d/d-/d/d/d/d (Social Security Numbers) Spam and Anti-phishing can be prevented by blocking inbound e-mails that appear to have been sent from your own domain. Create a reject rule for messages from yourdomain.com sent to yourdomain.com to block this type of sender forgery. Note: This rule should only be created if you are certain that no legitimate e-mail from your domain is sent from the Internet to your mail server.
9. Policy Filter: Extension Blocking You can prevent some e-mail attack threats by blocking certain file name extensions:
At a minimum, the following extensions should be blocked: exe, pif, scr, vbs
For increased protection, blocking some or all of the following extensions is recommended:
ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, exe, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, pif, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh Section Three: Hosted Archive Launch Checklist
Step 7: Confirm Domains 1. Log on as the Compliance Manager to the Hosted Archive service using the information provided to you in the Next Steps e-mail (initially, only the Compliance Manager can log on). The Web site address is: https://emea.archive.messaging.microsoft.com 2. In the Hosted Archive Admin Center, on the Company page, confirm that all relevant and pertinent domains that are to be archived are listed. 3. If you spot a spelling error or you need to add or delete domains, contact Technical Support.
Step 8: Set Up All User Accounts in the Hosted Archive There are several methods of setting up user accounts in the Hosted Archive: Single user (manual data entry into the Web UI)
Multiple user (bulk data upload)
Directory Synchronization (DST) from your Active Directory To create a single user 1. In the Hosted Archive Admin Center, on the People page, click Add an Employee on the menu bar.
2. In the Add an Employee dialog box, enter the first name, last name, and e-mail address of the user.
3. Click Save . To create multiple users 1. On the People page, click Add an Employee. 2. In the Add an Employee dialog box, click Multiple Entries. 3. Using the sample text on the screen as a syntax guide, enter the appropriate information. For each user, the first and last names need to each be one word with no spaces, so remove any spaces in the first name, or between first and middle names. For example, list an account with a first name of Jo Ann as JoAnn. When you have entered all the names, you can click Multiple People Editing to adjust the last name back to the proper format. Note You can upload only 1,000 users at one time.
4. Click Save . To create multiple users and set user properties with bulk upload 1. On the People page, click Import on the menu bar.
2. From the list above the sample text, select the category of data you want to upload. A number of data elements can be bulk uploaded (maximum 1,000 aliases or other data elements at one time), including: E-mail alias
IM alias
Bloomberg alias
Unique user information
Password (hint)
Out-of-band e-mail address
Distribution list members
Supervisor (including sampling rates)
Callee/caller 3. Using the sample text on the screen as a syntax guide, enter the appropriate information. When uploading multiple aliases, you must separate each alias account with a comma.
For example: [email protected], [email protected], [email protected]
4. Click Save .
Directory Synchronization
You can use the Directory Synchronization Tool (DST) to automate the process of adding and disabling user accounts to the Hosted Archive. If you use DST, the procedure varies, depending upon whether you are an existing Hosted Archive customer or you are a new customer and you have no existing users in the Hosted Archive service. To use Hosted Archive Directory Synchronization for New Archive Customers 1. Use the Bulk Upload feature to upload users for all roles other than the role you will use for the majority of your users (which you will configure in step 4, before activating Directory Synchronization). 2. Follow instructions in the Directory Synchronization Tool Administration Guide (http://go.microsoft.com/fwlink/?LinkId=164219) documentation to download, install, and run the DST. Note Review the recipient list in the DST to help ensure that you are including the appropriate users.
3. Configure default synchronization options in the Default People Template, such as user roles and message retention settings, to best suit the majority of your users. 4. Activate Directory Synchronization for your organization in the Web-based UI. 5. Use the Bulk Upload process (described previously) to add any IM or Bloomberg aliases data to your hosted archive. To use Hosted Archive Directory Synchronization for Existing Archive Customers 1. Ensure that all email addresses (hosted archive accounts) exist in your Active Directory. Important Any user that does not exist in Active Directory, but does exist in your hosted archive will be placed in an inactive state.
2. Follow instructions in the Directory Synchronization Tool Administration Guide (http://go.microsoft.com/fwlink/?LinkId=164219) to download, install, and run the DST. Note Review the recipient list in the DST to help ensure that you are including the appropriate users.
3. In the Web-based UI, configure default synchronization options in the Default People Template, such as user roles, that best suit the majority of your users. If a user exists in Active Directory, but is not in the hosted archive, then the user will be created with default settings specified in the People Template in the web-based interface. 4. Activate Directory Synchronization for your organization in the Web-based UI. 5. Use the Bulk Upload feature to add any IM or Bloomberg aliases data to the hosted archive. Please review the Bulk Data Upload section of this guide for more information about how to bulk upload data. 6. In the Administration Center, link orphan messages for the entire domain.
Step 9: Configure Archived Message Retention Periods Whenever an e-mail message is inserted into the archive, the retention policy for the recipient is applied to that message and a time-to-live (TTL) value is established. New users receive the default retention period for your organization, unless you explicitly set one of your additional retention periods when you create the user or bulk upload users. To change an existing user’s retention period, modify retention settings in the Web-based UI, either on the user’s Profile page or by using the Multiple People Edit function. The retention value set at user level overrides the company default. Step 10: Set Up Bloomberg capture (Optional) The Hosted Archive supports Bloomberg E-mail 1.6 and Instant Bloomberg 1.3. The supported Bloomberg XML formats are: Bloomberg Messages
Bloomberg Attachments
Bloomberg Disclaimers
Internet Messages
Internet Attachments
Internet Disclaimers
Instant Bloomberg Bloomberg requires that your organization take control of your password and all IP addresses that are used to access the FTP site where Bloomberg posts daily compliance files for your organization. Because your organization archives Bloomberg data, you are required to enter the following IP addresses in your CCNS function. This action allows Hosted Archive to access the FTP site where your data is stored. If this action is not taken, Hosted Archive can no longer retrieve Bloomberg data for your organization. Add the following IP addresses to archive Bloomberg in the Web-based interface: o 12.129.20.0/24 o 12.129.219.128/27 o 213.199.154.0/24 If you have additional questions about this step, contact your Bloomberg representative or see BMAIL
On the People page, go to the Bloomberg Alias area and enter the end user’s Bloomberg SMTP address in the New Alias field.
Step 11: Set Up Instant Messaging (IM) Message Capture (Optional) To capture IM messages, contact your support representative to obtain a journaling SMTP destination e- mail address. This SMTP e-mail address for your instant messages has the form:
[email protected] Where nnnn is a numeric ID. The following IM systems are supported: IM System Format Omnipod XML v.2 FaceTime XML v.2 and Text Parlano XML Akonix Text Symantec XML IM Note:Manager IM messages from other systems which are sent to the Archive Service will be captured as standard e-mail messages.
Step 12: Configure Journaling on Your Exchange Server Envelope journaling enables Exchange Hosted Archive to record all communications inside your organization, and it collects information about the recipients who received the message, including Bcc recipients and recipients from distribution groups. It is the best option for compliance and discovery purposes. Microsoft Exchange 2000 Server SP 3, Exchange Server 2003, and Exchange Server 2007 all support envelope journaling. When you configure envelope journaling, you journal internal mail and communications to an address called the copy address. You will receive this address in your setup e-mail, or you can find this address in the Microsoft Exchange Hosted Archive Administration Center as follows: 1. In the Administration Center, on the Administration tab, open the Company subtab. 2. In the center pane, under Archive Settings, look for Copy address, and make a note of the address. For more information about envelope journaling, see How to Configure Envelope Journaling on Microsoft Exchange Server 2003 and Exchange 2000 Server to Work with Exchange Hosted Services (http://go.microsoft.com/fwlink/?LinkId=161944) or How to Configure Envelope Journaling on Microsoft Exchange Server 2007 for Exchange Hosted Services (http://go.microsoft.com/fwlink/?LinkId=163787).
Step 13: Activate Your Hosted Archive When you are ready to begin archiving messages, your Hosted Archive must be activated. To activate your Hosted Archive 1. Log on to the Hosted Archive service at https://emea.archive.messaging.microsoft.com using an account with the Compliance Manager role. 2. In the alert that appears, click Activate your account. 3. A confirmation message will appear, confirming that your Hosted Archive is successfully activated.
After activation, it may take up to 10 minutes for messages to appear in your Hosted Archive.
Step 14: Request a Letter of Attestation Some organizations require a Letter of Attestation from their Hosted Archive vendor. To request this document, contact Technical Support. Additional Resources
Hosted Filtering Resources
Automated self-paced Hosted Filtering training: Microsoft Exchange Hosted Services: Administration Center Training (http://go.microsoft.com/fwlink/?LinkId=163887) Hosted Filtering FAQ (http://go.microsoft.com/fwlink/?LinkId=163888)
Admin Center tutorial and other documentation: Visit the Resource Center in the Admin Center to view the Admin Guide and templates that help you roll out the service to end users. Exchange Hosted Services Administration Center Online learning (http://go.microsoft.com/fwlink/?LinkId=163890): Do not use the Archive Training found here. Instead, use the link provided in the Archive section below.
Hosted Archive Resources
Automated self-paced Hosted Archive training: MEHS Archive Training (8.1) (http://go.microsoft.com/fwlink/?LinkId=163886) Hosted Archive FAQ (http://go.microsoft.com/fwlink/?LinkId=163889)
Hosted Archive documentation: Click on the Help link and select Resource Center in the Web- based interface for additional Hosted Archive documentation.