Problem solve Get help with specific problems with your technologies, process and projects.

An overview of Forefront Protection 2010 for Exchange Server

Take a deep dive into Forefront Protection 2010 for Exchange Server and see how it helps defend Exchange 2010 from spam and malware attacks in multiple types of environments.

Microsoft acquired Sybari Software Inc. in 2005 and, with it, acquired its Antigen for Exchange product line. Microsoft later released its first suite of Microsoft-branded Antigen products in June 2006 -- marking its first line of antivirus products specifically for Exchange Server 2000 and Exchange Server 2003. 

The next generation of this product -- ForeFront Security for Exchange Server -- was released shortly after the debut of Exchange Server 2007. This version was enhanced to support the new role-based architecture and leverage the new transport pipeline in Exchange Server 2007.

Forefront Protection 2010 for Exchange Server is the current generation and next evolution of antispam and antivirus protection from Microsoft. Microsoft’s 2005 acquisition of FrontBridge Technologies Inc., a managed services provider for corporate email compliance, security and high availability, paved the way for its hosted security solution for Exchange, which now includes Forefront Online Protection 2010 for Exchange Server.

Exchange 2010 built-in antispam protection
When you deploy an edge transport server role, a wide range of antispam agents are installed that leverage Exchange Server 2010’s built-in API hooks. Exchange 2010’s antispam transport agents are derived from long-standing Exchange Server technology (Figure 1).

A list of Exchange 2010's antispam transport agents

Figure 1. Exchange Server 2010 already has plenty of antispam transport agents built in.

Transport agents were first introduced in Exchange 2007 and can directly leverage the transport pipeline to allow antivirus and antispam applications to proactively scan inbound and outbound email processed by the edge transport server before it enters or exits an organization.

If the edge transport server isn’t deployed, the antispam transport agents can be imported onto a hub transport server role using the install-AntispamAgents.ps1 script. This allows any Exchange Server deployment topology to benefit from antispam protection. Of course, an antispam application will only address half of the problem; you still need an antivirus product to protect the organization from malware.

Forefront Protection for Exchange Server (On-premises)
Forefront Protection 2010 for Exchange Server (FPE) is an on-premises application that can be implemented in the internal network on the hub transport and mailbox roles. It can also be implemented in the perimeter network, on the edge transport or threat management gateway (TMG). FPE was designed to provide three distinct layers of filtering: connection filtering, protocol filtering and content filtering.

Layer 1 – Connection filtering (Approximately 80% of inbound spam rejected)

  • DNS Block List (DNSBL)
  • IP Allow/IP Block
  • Sender ID

Layer 2 – SMTP filtering (3% to 5% rejected)

  • Sender
  • Recipient
  • Global safe list
  • Global block list
  • Sender ID
  • Backscatter

Layer 3 – Content filtering (55% to 60% rejected)

  • Cloudmark
  • Automatic updates every 45 seconds

FPE can also be installed on the mailbox role. The table below lists available configuration options when FPE is installed on a mailbox server.

Forefront solution Description
Forefront Endpoint Protection 2010 Malware protection for business desktop PCs, laptops and server operating systems that is easier to manage and control
Microsoft Forefront Protection 2010 for Exchange Server Multiple-engine antimalware and anti-spam protection for on-premises Microsoft Exchange Server environments
Microsoft Forefront Online Protection for Exchange Microsoft-hosted antimalware and anti-spam service offering enterprise-class reliability for messaging security and management
Microsoft Forefront Protection 2010 for SharePoint File filtering, keyword blocking and antivirus scanning for Microsoft Office SharePoint Server document libraries
Microsoft Forefront Security for Office Communications Server Virus scanning and content filtering for instant message conversations and file transfers
Forefront Threat Management Gateway Web Protection Service URL filtering and Web antimalware update service for Forefront Threat Management Gateway 2010


Microsoft Forefront Protection Server Management Console (FPSMC) 2010
Microsoft Forefront Protection Server Management Console (FPSMC) 2010, allows administrators to manage not only multiple FPE servers within an organization but also the settings for FOPE, is available as a free download. FPSMC has an intuitive graphical interface that administrators can use for server discovery, configuration deployment, reporting, and quarantine management. FOPE administrators can also utilize FPSMC as it is integrated with Forefront Online Protection for Exchange. FPSMC also includes some reports to help administrators understand the nature and trends of malware and spam protection.

The FPE Server Administrator Console does an adequate job of allowing you to configure FPE and FOPE for an organization and is all that is really necessary for single server deployments. The new dashboard view (Figure 2) makes it very easy to track current activity and the status of the different components in FPE.

A look at the FPE dashboard
Figure 2. You can manage FPE from its new dashboard.

New Forefront features to look for
Forefront Protection for Exchange Server has several features that might be new to Exchange Server administrators. Let’s take a look at some of the coolest new features and how they work.

DNSBL. This feature automates subscriptions to real-time block list (RBL) services and enables configuration through a single mouse click. This is possible because Microsoft has already subscribed to some of the most respected RBL providers to create its own DNS block list (DNSBL). When you enable DNSBL, you subscribe to the Microsoft list; enabling DNSBL will eliminate subscriptions fees that are often required to transfer block-list information to your servers. It can also eliminate the headache of managing and configuring your own subscriptions.

Backscatter. This feature protects your organization from bogus non-delivery report (NDR) messages. Prior to the release of FPE 2010, there was no Microsoft solution that could prevent fictitious NDR messages from being delivered to users’ mailboxes. When you enable Backscatter and generate a set of keys, each outbound message will have an attached token that’s based on a hashed tab to P1.MailFrom: in the email header. If the external messaging system that receives the email must return a non-delivery report, the token will be returned as well.

If the Backscatter feature on Exchange 2010 transport servers can validate the hash, then the NDR will be allowed into the organization. However, if the NDR is missing the hashed tag or Backscatter cannot validate the hash, then the NDR message will be dropped.

Note: To prevent inadvertently dropping valid NDR messages, all transport servers must have the Backscatter feature enabled. At the very least, it should be enabled on all Internet-facing transport servers.

Cloudmark. You can license this antispam solution from Microsoft for both FPE and FOPE. Once FPE is installed, it will replace the default antispam connection filter engine with Cloudmark. Cloudmark has proven to have a 99.77% catch rate. Microsoft guarantees a 98% catch rate in its server-level agreement (SLA) for FOPE.

Third-party spam and virus protection
Microsoft claims that there are four features in Forefront Protection 2010 for Exchange Server that differentiates the product from third-party solutions.

1. FPE uses five simultaneous scanning engines.
2. It uses multi-layer defense architecture.
3. FPE is easy to administer, monitor and report.
4. The solution supports a hybrid model that integrates both on-premise and online servers as well a singular solution.

Despite these advantages, however, it isn’t everything for everyone. Sometimes you need a third-party antivirus or antispam solution. There are a number of well-known antivirus and antispam vendors for Microsoft Exchange Server. When it comes down to choosing the best one for your enterprise, which factors should you consider? Key aspects to look for in a third-party antivirus solution for Exchange Server 2010 are:

  • Support for latest VSAPI
  • Support for hub, edge and mailbox roles
  • Use of transport agents for scanning
  • Support for antivirus stamping
  • Support for multiple scanning engines

Can the cloud reduce your spam carbon footprint? 
There is a concept with antimalware and antispam prevention that suggests the sooner you can eliminate the threat, the less it will cost your organization. To describe this concept in today’s environmentally conscious landscape, some have coined this as "reducing the carbon footprint of spam and malware."

The last 10 years has seen an explosion in hardware appliances and perimeter-based email security designed to prevent unwanted email from even making it inside an organization. The downside to these solutions is that they require additional security expertise to maintain and they must be kept up to date in order to be effective. For many organizations, there is not enough staff to meet these challenges. The consequences of a solution failing are too great for many organizations, so they have begun to seek alternatives.

The use of cloud-based managed security solutions for email systems has increased significantly over the last few years. Cloud-based security solutions give companies the potential to maintain the smallest carbon footprint possible for malware and spam because these solutions eliminate unwanted email in the cloud -- not in the perimeter.

When Microsoft acquired FrontBridge, it became one of the top email hygiene providers along with Postini (Google), Message Labs (Symantec), SOPHOS and Trend Micro. Today there are more than 10 well-known hosted email hygiene/security providers to select from as well as several lesser-known vendors.

Microsoft’s technological advances with FOPE make it an excellent choice for a managed security solution in the cloud and a strong competitor with the predominant providers. The strongest argument for FOPE, however, is that it is the only solution that is tightly integrated with its on-premises counterpart, FPE. FOPE can also be enabled and provisioned with a few clicks of the mouse, using the same tools you need to manage FPE.

Example deployment topologies
FPE and FOPE were designed to support environments of all sizes. FOPE is a hosted solution, so it was designed to scale support for even the largest enterprises. There are different ways to deploy FPE and FOPE for an Exchange Server 2010 organization. FPE can protect Exchange organizations with single servers with combined roles or with dedicated server roles. FOPE can be leveraged by itself without FPE. However the most comprehensive solution is to deploy both FOPE and FPE together.

  • On-Premises: Combined Exchange Server roles
    All Exchange Server roles are combined on a single server. Although the client access server role and unified messaging role are on the same server, FPE does not directly support them. All email and voicemail are submitted to the mailbox role; therefore, CAS and UM roles are indirectly protected (Figure 3).

    Forefront Protection for Exchange Server indirectly protects the unified messaging and client access server roles.
    Figure 3. Though not directly supported, the client access server and unified messaging roles are protected by FPE.

  • On-Premises: Dedicated Exchange Server roles
    FPE is installed on the edge, hub and mailbox server roles, but it isn’t necessary to install on the UM or CAS roles. This topology gives Exchange administrators the greatest level of flexibility when sizing each server to meet the resource requirements of both Exchange 2010 and FPE. A TMG was also deployed to provide protection for the CAS role (Figure 4).

    Forefront Protection for Exchange Server is installed on the edge, hub and transport server roles.
    Figure 4. FPE is installed on the edge, hub and mailbox server roles.

  • On Premises/Hosted: Hybrid
    FPE and FOPE are deployed as a holistic antimalware/antispam solution. The Forefront Protection Manager allows admins to centrally manage the antispam policy. There is an additional FOPE gateway server in this configuration. This function takes very little resources and is used to push the antispam policy to FOPE from the FPMSC (Figure 5).

    Forefront Protection for Exchange Server and Forefront Online Protection for Exchange Server may be deployed together as a hybrid solution.
    Figure 5. FPE and FOPE can be deployed together as a hybrid antispam/antimalware solution.

Deployment recommendations
There are a few general rules you should follow when deploying Forefront Protection for Exchange Server.

  • Deploy FPE on an edge transport server.
  • Deploy FPE on all hub transport servers.
  • Deploy FPE on all mailbox servers.
  • Run all five engines, if possible, and run no less than two engines for fault tolerance.
  • During a malware outbreak, enable the Scan after engine update setting for real-time scanning on mailbox servers.
  • Optionally, deploy FPE on a Threat Management Gateway (TMG) instead of an edge server.
  • Use the Forefront Protection 2010 for Exchange Server Capacity Planning Tool.

Because running antivirus software consumes additional resources, it is important to plan appropriately. The capacity planning tool let you select reference architecture and customize the memory and hardware constraints. After it runs, it will produce a summary of the hardware requirements and number of servers that should be used, based on the specified constraints.

Viruses and worms of a decade ago seemed like the biggest threats to messaging security, but when you consider what they have evolved into today, for example: the latest phishing and malware attacks with criminal intent, it is no surprise the security industry has evolved as well. Email administrators are at the center of the malware and spam storm and have the greatest responsibility to provide their organizations with appropriate levels of protection.

The good news is there are more antispam and antimalware solutions on the market than there have ever been that are specifically designed for messaging systems. Microsoft has even included several layers of antispam protection built into Exchange Server 2010. As the industry moves forward, it seems that the more noticeable trends are the managed security solutions. The managed security solutions in the cloud are becoming more attractive to administrators that have found the task of keeping pace with the exponentially growing threats to their email systems more and more difficult to perform.

Richard Luckett
is president of SYSTMS of NY, Inc., a Microsoft Gold Partner providing professional services, managed services and training solutions. He is an MCSE, MCITP and MCTS with security and messaging specializations, and an MCT with nine years of Exchange training experience. Richard is an Exchange MVP award recipient, co-author of Administering Exchange 2000 Server and Exchange Server 2007: The Complete Reference, course director and author of seven Microsoft Exchange courses, and resident email security expert for Contact him at [email protected].

Dig Deeper on Exchange Server setup and troubleshooting