Slide 1

Download Report

Transcript Slide 1 

Module 6
Implementing Messaging
Security
Module Overview
• Deploying Edge Transport Servers
• Deploying an Antivirus Solution
• Configuring an Anti-Spam Solution
• Configuring Secure SMTP Messaging
Lesson 1: Deploying Edge Transport Servers
• What Is the Edge Transport Server Role?
• Edge Transport Server Role Infrastructure Requirements
• What Is AD LDS?
• Demonstration: How to Configure Edge Transport Servers
• What Is Edge Synchronization?
• How Internet Message Flow Works
• Demonstration: How to Configure Edge Synchronization
• What Is Cloned Configuration?
• Discussion: Securing Edge Transport Servers
What Is the Edge Transport Server Role?
The Edge Transport server role provides:
Internet message delivery
Antivirus and anti-spam protection
Edge transport rules
Address rewriting
The Edge Transport server role:
Cannot be deployed with any other server role
Should not be a member of the internal
Active Directory domain
Should be deployed in a perimeter network
Edge Transport Server Role Infrastructure
Requirements
The Edge Transport server:
Must be configured with a Fully Qualified Domain Name
Requires a minimal number of ports opened on the
internal and external firewalls
Must be configured with the IP addresses for DNS
servers that can resolve DNS names on the Internet
What Is AD LDS?
AD LDS is an LDAP directory service that stores information
for directory-enabled applications
AD LDS on an Edge Transport server stores:
Schema information
Configuration information
Recipient information
You can use the Exchange Server 2010 tools to perform most
of the AD LDS configuration tasks
Demonstration: How to Configure Edge Transport
Servers
In this demonstration, you will:
• Review the Edge Transport server default configuration
What Is Edge Synchronization?
Edge Synchronization replicates Active Directory information
to AD LDS on Edge Transport servers
Reasons for implementing Edge Synchronization include:
Simplifying Edge Transport server configuration
Using recipients for transport or filtering rules
Edge Synchronization:
Includes configuration and recipient information
Is always initiated by Hub Transport servers
How Internet Message Flow Works
1
Hub Transport /
Client Access /
Mailbox Server
6
2
5
4
3
Edge Transport
Server
Demonstration: How to Configure Edge
Synchronization
In this demonstration, you will:
• Enable Edge Synchronization
• Test Edge Synchronization
• Configure address rewriting
What Is Cloned Configuration?
Cloned configuration is a process of configuring multiple Edge
Transport servers with identical configurations
To implement cloned configuration, use the:
ExportEdgeConfig script to export configuration
information
ImportEdgeConfig script to validate the
configuration on the target server, and then create
an answer file
ImportEdgeConfig script to import configuration
information
Discussion: Securing Edge Transport Servers
• Why is it important to secure Edge transport servers?
• What factors should you consider at the operating system
level?
• How do you secure an Edge Transport Server?
Lesson 2: Deploying an Antivirus Solution
• Antivirus Solution Features in Exchange Server 2010
• What Is Forefront Protection 2010 for Exchange Server?
• Forefront Protection 2010 Deployment Options
• Best Practices for Deploying an Antivirus Solution
• Demonstration: How to Install and Configure Forefront
Protection 2010 for Exchange Server
Antivirus Solution Features in Exchange Server 2010
Exchange Server 2010 supports:
Using the same VSAPI as is used in Exchange Server
2003 and Exchange Server 2007
Using transport agents to filter and scan messages
Using antivirus stamping to mark each scanned
message
Integration with Forefront Protection 2010 for
Exchange Server
What Is Forefront Protection 2010 for Exchange
Server?
Benefits of Forefront Protection 2010 for Exchange Server
include:
• Antivirus scan with multiple scan engines
• Full support for VSAPI
• Microsoft IP Reputation Service
• Spam signature updates
• Premium spam protection
• Automated content filtering updates
Forefront Protection 2010 Deployment Options
You can install Forefront Protection 2010:
• Only on an Edge Transport server or a Hub Transport server
• On an Edge Transport server or a Hub Transport server
and a Mailbox server
When installing Forefront Protection 2010, consider:
• The number of scan engines required
• The types of scan engines that should be used
Best Practices for Deploying an Antivirus Solution
When you implement an antivirus solution, you should:
• Implement multiple layers of antivirus such as:
•
Firewall or Edge Transport server
•
Client
•
Exchange server
• Maintain regular antivirus updates
Demonstration: How to Install and Configure
Forefront Protection 2010 for Exchange Server
In this demonstration, you will see how to:
• Install Forefront Protection 2010 for Exchange Server
• Configure Forefront Protection 2010 for Exchange Server
• Manage Forefront Protection 2010
Lab A: Configuring Edge Transport Servers and
Forefront Protection 2010
• Exercise 1: Configuring Edge Transport Servers
• Exercise 2: Configuring Forefront Protection 2010 for
Exchange Servers
Logon information
Virtual machines
10135-VAN-DC1,
10135-VAN-EX1,
10135-VAN-SVR1
User name
Administrator
Password
Pa$$w0rd
Estimated time: 45 minutes
Lab Scenario
You are a messaging administrator in A. Datum Corporation,
which is a large multinational organization. Your organization
has deployed Exchange Server 2010 internally, and it now
wants to extend it so that everybody can send and receive
Internet e-mail.
As part of your job responsibilities, you need to set up an Edge
Transport server, and then install an antivirus solution to scan
all mail.
Lab Review
• When you implement new certificates on your existing
Edge Transport server, what do you need to consider?
• Does the Forefront Protection 2010 Suite scan the
message multiple times when it is passed over Edge
Transport and Hub Transport servers?
Lesson 3: Deploying an Anti-Spam Solution
• Overview of Spam-Filtering Features
• How Exchange Server 2010 Applies Spam Filters
• What Is Sender ID Filtering?
• What Is Sender Reputation Filtering?
• What Is Content Filtering?
• Demonstration: How to Configure Anti-Spam Options
Overview of Spam-Filtering Features
Feature
Filters messages based on:
Connection
Filtering
The IP address of the sending SMTP server
Content Filtering
The message contents
Sender ID
The IP address of the sending server from which
the message was received
Sender Filtering
The Sender in the MAIL FROM: SMTP header
Recipient Filtering
The Recipients in the RCPT TO: SMTP header
Sender Reputation
Several characteristics of the sender, accumulated
over a period of time
Attachment
Filtering
Attachment file name, file name extension, or file
MIME content type
How Exchange Server 2010 Applies Spam Filters
Exchange Server 2010
Edge Transport server
IP Allow List
Connection
Filtering
Internet
Sender Filtering
IP Block List
RBL
Recipient
Filtering
Sender ID
Filtering
Content
Filtering
Outlook Safe
Senders List
Exceed SCL
Threshold
Below SCL
Threshold
What Is Sender ID Filtering?
DNS Server
SMTP
Server
2
Edge
Transport
Server
1
4
Hub
Transport
Server
Internet
3
Sender ID filtering is a concept in virus protection that was
introduced in Exchange Server 2007
You can configure it to:
• Reject messages and issue an nondelivery report (NDR)
• Delete messages without sending an NDR
• Stamp the messages with the SenderID result, and continue processing
What Is Sender Reputation Filtering?
Sender Reputation filtering filters messages based on
information about recent e-mail messages received from
specific senders
The Protocol Analysis agent assigns an SRL that is based on:
• Sender open proxy test
• HELO/EHLO analysis
• Reverse DNS lookup
• Analysis of SCL ratings on messages from a
particular sender
What Is Content Filtering?
Content Filtering analyzes the content of each e-mail message
and assigns an SCL to the message
You can configure content filtering to:
• Delete, reject, or quarantine messages that
exceed an SCL value
• Block or allow messages based on a custom word list
• Allow exceptions so that messages sent to specified
recipients are not filtered
Quarantined messages are sent to a quarantine mailbox
Demonstration: How to Configure Anti-Spam Options
In this demonstration, you will see how to:
• Configure Connection Filtering
• Configure Sender and Recipient Filtering
• Configure Sender ID and Sender Reputation Filtering
• Configure Content Filtering
Lesson 4: Configuring Secure SMTP Messaging
• Discussion: SMTP Security Issues
• SMTP E-Mail Security Options
• Demonstration: How to Configure SMTP Security
• What Is Domain Security?
• How Domain Security Works
• Process for Configuring Domain Security
• Demonstration: How to Configure Domain Security
• How S/MIME Works
Discussion: SMTP Security Issues
• What are the SMTP security issues?
• How do you currently secure SMTP?
SMTP E-Mail Security Options
Protocol
Layer
Purpose
IPSec
Network-based
Encrypts server-to-server or
client-to-server traffic
VPN
Network-based
Encrypts site-to-site traffic
TLS
Session-based
Encrypts server-to-server traffic
S/MIME
Client-based
Encrypts client side e-mail and
enables digital signing
SMTP e-mail can be additionally secured by using
authentication and authorization on the SMTP connector
Demonstration: How to Configure SMTP Security
In this demonstration, you will see how to:
• Configure an externally secured SMTP Connector
• Configure an SMTP Connector that requires TLS and
authentication
What Is Domain Security?
Uses mutual TLS with business partners to enable secured
message paths over the Internet
To set up mutual TLS:
• Generate a certificate request for TLS certificates
• Import and enable the certificate on the
Edge Transport server
• Configure outbound Domain Security
• Configure inbound Domain Security
How Domain Security Works
Mail Client
1
2
Mail Client
Process for Configuring Domain Security
To configure Domain Security:
1 Generate a certificate request for TLS certificates
2 Import certificate to Edge Transport servers
3 Configure outbound Domain Security
4 Configure inbound Domain Security
5 Notify partner to configure Domain Security
6 Test mail flow
Demonstration: How to Configure Domain Security
In this demonstration, you will see how to:
• Verify certificate and check Receive connector
• Configure Domain Security
How S/MIME Works
Method
Digital signatures
Message encryption
Type of Security Provided
Authentication: The message was
sent by the person or organization
who claims to have sent it
Nonrepudiation: Helps to prevent the
sender from disowning the message
Data integrity: Any alteration of the
message invalidates the signature
Only the intended recipient can view
the contents
S/MIME Infrastructure requirements:
• The sender must have a valid certificate installed
• All target addresses must have a public certificate
available either locally or in Active Directory
• Can use either an internal or public CA
Lab B: Implementing Anti-Spam Solutions
• Exercise 1: Configuring an Anti-Spam Solution on Edge
Transport Servers
Logon information
Virtual machines
10135-VAN-DC1,
10135-VAN-EX1,
10135-VAN-SVR1
User name
Administrator
Password
Pa$$w0rd
Estimated time: 65 minutes
Lab Scenario
After configuring the Edge Transport server and installing an
antivirus solution, you must implement an anti-spam solution.
Lab Review
• What anti-spam agents are available in Exchange Server
2010?
• What is the purpose of the SCL threshold?
• What are the possible issues in implementing Domain
Security for your partner domains?
Module Review and Takeaways
• Review Questions
• Common Issues and Troubleshooting Tips