Transcript Mike Chan Sr. Product Manager Microsoft SIA317 Agenda Business Ready Security Product Features OCS Integration Installation, Configuration and Support Performance.

Mike Chan
Sr. Product Manager
Microsoft
SIA317
Agenda
Business Ready Security
Product Features
OCS Integration
Installation, Configuration and Support
Performance
Business Ready Security
Help securely enable business by managing risk and empowering people
Identity
Highly Secure & Interoperable Platform
from:
Block
Cost
Siloed
to:
Enable
Value
Seamless
Forefront Security for OCS
Updated Release Information
Support for OCS 2007 R2 in first release of
FSOCS
FSOCS RTM launched mid-March
Aligned with OCS 2007 R2
Not a part of “Stirling”
No centralized management
Forefront Security for Office Communications Server
Objectives
Complement and deepen the security in OCS
Detect and remove malware from IM message
content and transferred files
Set controls on content distributed via IM
Integrate with OCS 2007 and R2
Provide IM security while supporting with real-time
performance
Report on FSOCS Health and Activity
Securing IM within OCS
FSOCS provides content filtering and AV
scanning of all IM activity including
IM Message Content
Group IM
IM w/ External Users
IM-Based File Transfers
IM Routed Through the Standard and Enterprise
Edition
Securing IM in OCS 2007
External Users
FSOCS secures IM and transferred files for
external OCS users
Federated Organizations
Public IM Networks such as AOL, Yahoo and MSN
Remote Users with an Identity in Active Directory
but are not connected through a VPN
Key IM Security Features
Capabilities are similar to other Forefront Server
Security products:
Malware/Virus Scanning
File Filtering
Keyword Filtering
Domain/Address Filtering (Content Filtering)
However, there are specific ways these features are
applied over IM protocols…
Securing IM in OCS
IM Keyword Filters
Keyword filters applied to IM Message content
and Text-based transferred files
Applied to Inbound, Outbound or Internal IM
Triggers one of these actions:
 Skip: detect only
 Block
Admins can identify users who should be
excluded from IM scanning for Keyword rules
through Sender/Recipient Allow Lists
Securing IM in OCS
Prevent the distribution of malware through IM
Optimal Detection of IM-based malware through
scanning with multiple antivirus engines
Detection of malware in both IM message content
and IM-based file transfers
5 AV Engines can be enabled simultaneously
Intelligent engine manager
Bias settings
IM Scan Job
Automated Signature Updates (24x7)
Securing IM Message Content
IM is transported through the following protocols:
Session Initiation Protocol (SIP)
Session Description Protocol (SDP)
SIP for Instant Messaging and Presence Leveraging Extensions (SIMPLE)
Office Communicator (OC) uses SDP to establish the content type used within an IM session
Known (supported) content types are parsed for keywords
OC 2007 and OC 2007 R2 default type is RTF
OC 2005 default content type is Plain Text
HTML is a supported content type in OC 2007 R2
All content types are scanned for viruses; this includes new content types available in OC 2007
that are scanned by default
Ink Serialized Format (ISF)/ Graphics interchange format (Gif) generated from Tablet PC's
Other content types that are be generated from custom built IM clients from the UCC SDK
Reg Keys allow Admins to block ISF or Unknown content types
Securing IM-Based File Transfers
IM-based file transfers occur as a Peerto-Peer file copy transaction between
two clients
FSOCS monitors the SIP messaging used
to negotiate a file transfer and redirects
the file to the FSOCS server
If the connection necessary to transfer
files between internal and external
users is successfully made, IM
transferred files will be protected at the
Edge as well.
Additional Content Controls
Domain/Address Filtering can block IM based on
SIP URI or Domain of Sender or Recipient
Wildcards allow blocking by domain
*@unknown.com
Individual SIP URI’s can be specified to block at the
user level
Both Keyword and File Filters can be bypassed
for Senders and Recipients identified in
configurable list(s) of SIP URI’s.
IM Notifications
Notifications are sent when
users attempt to send
malware, designated file
types, or out-of-policy
keywords
IM Notifications can be
configured separately for
internal and external users
Configuring Admin Notification
IM admin receives e-mail
Sender (and Recipient if
desired) receive IM
communication
User IM Notification
Securing IM in OCS 2007
Configuration Scenarios
Block IM from a problematic domain at the Edge
Use the Content Filtering feature of FSOCS when deployed on the
Edge to block a domain - for example, block “*.unknown.com”
Configure different policies on IM Message Content for
Internal and External users
Keyword Filter Lists can be enabled for Inbound, Outbound or
Internal applicability
Block external file transfers
Filters list file types to be blocked and uses real file detection
Filter can block Inbound <in> or Outbound <out> file transfers
Configuring FSOCS
Mike Chan
Senior Product Manager
Microsoft
OCS Integration
Technical Integration with OCS
Integrates with OCS as a critical App
Hooks into the SIP Messaging stream used to transport
IM Messages between user end points
Supports all OCS Server roles and Topologies that
manage IM:
Standard Edition, Enterprise Edition: Front End, Director and
Access Edge Server Roles
Applies a message stamp so IM message content and
transferred files are only scanned once for efficient
processing
System Requirements
FSOCS Deploys On Communication Servers
FSOCS supports the same server requirements
as the OCS Server it is deployed with
For OCS 2007 Deployments
Minimum: Windows Server® 2003 SP1
Recommended: Windows Server® 2003 R2
Support for 64 bit Versions
64-bit hardware with WOW64 mode on the 64-bit edition
of Windows Server 2003 SP1 and above
For OCS 2007 R2 Deployments
64-bit Hardware Only
WS 2008, WS 2003, WS 2003 R2
Standard Edition Integration
All IM Activity Is
Routed Through An
Instance of OCS
Communications
Server
With FSOCS Installed
Server Boundary
Process Boundary
FSOCS
IM Scan Job
Notify
FSOCS
FSCController
Clean IM messages
and files are stamped
and routed forward
through OCS
FSOCS
Infected IM is blocked
and optionally
Quarantined by FSOCS
RTCProxy
IPC
Notification of the Action
is sent to the Sender and
optionally the
Administrator
AV
AV
FSOCS
IM
Notification
Agent
FSOCS
Admin
Console
OCS Server
IM
IM
IM
AV
The FSOCS
Admin
Console can
deliver items
from
Quarantine
Enterprise Edition Integration
OCS
Back End SQL Server
OCS Server Pool
Enterprise Edition Server
Enterprise Edition Server
Process Boundary
FSOCS
FSOCS
AV
FSCController
IM Scan
Job
AV
FSOCS
***IM
RTCProxy
FSOCS
IM Agent
FSOCS
FSOCS
AV
FSCController
IM Scan
Job
AV
AV
OCS Server
IPC
Process Boundary
FSOCS
RTCProxy
IPC
Hardware Load Balancer
IM
Client
Client
AV
OCS Server
FSOCS
IM Agent
Securing Instant Messaging
Mike Chan
Senior Product Manager
Microsoft
Installation, Configuration and Support
Enterprise Edition Topologies
External Users
Federated (Trusted)
Organization
Perimeter Network
Internal Network
Director Server
Access Edge Server
(VPN)
Front-End Server
Public IM
Networks
Remote User
FSOCS scans IM Messages & file transfers flowing through OCS protecting each instance
of a Standard Edition, Front End, Director and Access Edge server role.
FSOCS Installation
Overview
 Installable profanity lists are in a separate msi named
“KeywordInstaller.msi” found in the “Program Files\Microsoft
Forefront Security\Office Communications Server” folder after
FSOCS is installed
 Templates are supported for the following: IM Scan Job, Scan
Engines, Notifications, File and Content Filtering Settings
FSOCS Installation
Deploying on Different OCS 2007 Server Roles
FSOCS searches the registry for an OCS 2007 Key
Reg Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Real-Time
Communications\{92AC8981-AAD9-4391-856392E558EEF4C6}\Server
Possible Values:
SE
Standard Edition
EE
Enterprise Edition
PROXY
Proxy Server
AP
Edge Server
FSOCS Installation
Deploying on Different OCS 2007 Server Roles
If an Enterprise Edition Server Role is detected
(EE) then the user can identify that the install is
occurring on a Director Server Role
FSOCS Installation
Install Credentials and Requirements
Server and IM notification accounts are required for installation
of FSOCS and have different requirements and validation checks
Access Edge is typically installed in the perimeter network as a
non-domain server with no AD access
FSOCS on Access Edge will run with local admin entitlements
Front End, Director and Standard Edition, core services run
under an account with both local and domain level entitlements
There are separate requirements for the IM Notification Agent
FSOCS Installation
Install Credentials and Requirements
On Access Edge, the service account must have the following privileges; if these
privileges are not enabled for the account at the time
of install, the FSOCS installer will enable them automatically:
“Logon As Service"
"RTC Server Applications" local security group
"RTC Server Local Group" local security group
"Performance Monitor Users" local security group
Standard Edition, Front End, or Director role requirements; if not already enabled, the
following privileges will be added to the server account at time of install
"Logon As Service"
"RTC Server Applications" local security group.
The service account specified must already be a member of the following
groups
"RTCUniversalServerAdmins" and "RTCProxyUniversalServices" domain groups
FSOCS Installation
IM Notification Agent Credentials
The following information is required:
Username: User account prefixed with domain.
On Access Edge, this is a local user prefixed with computer name
Password: Password of user account for either domain or local computer
Transport: The protocol used to communicate from the IM Notification Agent to OCS 2007, TLS is
recommended as this is a secure, encrypted protoco
SIP URI:
This is the SIP URI used by OCS 2007 to uniquely identify a user. It can be found in AD
<msRTCSIP-PrimaryUserAddress>
Home Server:Every OCS user is associated with a home server or Pool . This can be found in AD
<msRTCSIP-PrimaryHomeServer>
On the Front End, Standard Edition and Director Servers, the SIP URI and Home or Pool Server
will be pre-populated. The User, SIP URI and Home/Pool Server will be validated
On the Access Edge Server Role, the installer cannot access AD to pre-populate or validate any
credentials
**If user/server information has been entered incorrectly, errors will be generated into the Application Event log
from the “ForefrontNotificationAgent” with a “error occurred logging in to server” in the description.
FSOCS Configuration on
OCS 2007 Enterprise Edition Roles
Available on all supported EE Server Roles
DisableMessageStamp
DWORD value
Default = 0
MessageOverloadWatermark
DWORD Value
Defaults:
1,000 for Access Edge, 3,000 for Director, 10,000 for Front End
Access Edge and Director Server Roles
FileScanningDisabled
DWORD Value
DEFAULT = 0
FSOCS Configuration on
OCS 2007 Enterprise Edition Roles
Available on Access Edge Server Role
FileTransferStartPortRange
DWORD Value
DEFAULT 6891
FileTransferMaxPorts
DWORD Value
Default= 10
FSOCS
Support and Troubleshooting – Perf Counters
There are 4 categories all prefixed with “Microsoft
FSOCS”
Microsoft FSOCS Categorizer
Microsoft FSOCS Health
Microsoft FSOCS Scan Filter
Microsoft FSOCS SIP Traffic
Administrators should monitor counters to understand
queue length and IM processing time:
RTC Proxy Health: Queue Length
RTC Proxy Scan/Filter Results: Average Processing Time
FSOCS Configuration
Support and Troubleshooting – Diagnostic Tools
Run the FSCDiag.exe
Located in Program Files\Microsoft Forefront
Security\Office Communications Server
This generates the ForefrontDiag*.zip
Located in Program Files\Microsoft Forefront
Security\Office Communications Server\log\Diagnostics
Diagnostic level logging can be kept on continually
Select IM Diagnostics in the General Options settings
Costly in terms of log sizes and performance due to disk I/O
FSOCS Configuration
Support and Troubleshooting – OCS Logs
Generating and Collecting OCS Logs:
Open OCS MMC
Select your Enterprise Pool and right click on it
Select "New Debug Session"
In the OCS Logging Tool, select:
"LcsServer" and enable "All Flags"
"ApiModule" and enable "All Flags"
"SIPStack" and enable "All Flags"
"InboundRouting" and enable "All Flags"
"MCUInfra" and enable "All Flags"
“ MCUFactory” and enable “All Flags”
“UserServices” and enable “All Flags”
Click on "Start Logging“
Reproduce the issue you are noticing
Click on "Stop Logging“
Select "View Log Files" (keep everything on the list enabled)
Select "View" and a number of text files will open in Notepad
Collect the files from the directory specified in the logging tool (default: c:\windows\tracing)
Collect the OCS Event Logs to send to Microsoft
FSOCS Performance
Internally tested at 4000 users/server
Quad-Core Intel Xeon X3220 2.4 GHz processors, 4 GB of RAM
and 150GB of SCSI drive (RAID0, DAS)
Setting
Value
Average number of contacts
50
Max number of contacts
100
Average groups per user
10
Max groups per user
25
IM Usage Model Profile
Low
Medium
High
Max Supported Users*
Conversations
/day
7
14
24
24
Conversation
Length (min.)
120
120
120
20
IM Sent
/Minute
2
2
2
1
IM Rate / sec
/ 1000 users
20
40
67
6
FSOCS Performance
Measurement
Profile
No File Transfer
With File Transfer
IM
Processing Time
Average
0.005
0.005
Processor
Utilization (%)
Avg.
Max
47.2
63.8
43.5
51.6
Measurement (3000 Users)
Messages/sec
Profile
OCS 2007 R2 (baseline)
FSOCS (MSAV Only)
FSOCS (3 engines: CA, VBuster, MSAV)
FSOCS (Default Configuration)
Avg.
210
210
210
209
Measurement (4000 Users)
Messages/sec
Profile
OCS 2007 R2 (baseline)
FSOCS (3 engines: CA, VBuster, MSAV)
Avg.
280
282
Max
232
226
225
231
Max
300
329
Memory
Utilization
Avg.
Max
1.1GB 1.2GB
2.0GB 2.8GB
2.6GB 2.9GB
2.8GB 3.0GB
Processor
Utilization (%)
Avg.
Max
6.8
12.9
20.2
26.0
29.2
33.8
20.7
24.2
Memory
Utilization
Avg.
Max
1.4GB 1.5GB
2.7GB 2.9GB
Processor
Utilization (%)
Avg.
Max
9.2
14.9
36.8
42.0
Minimum
Recommended
Maximum
Scanning Processes
2
1 x # of cores
25
Memory (Additional to OCS) 200 MB x # of scanning processes 600 MB x # of scanning processes N/A
Case Studies
Sporton International
International certification
company based in Taiwan
“We couldn’t find a solution to protect Office Communications
Server…. Our only recourse was to build our own, requiring
painstaking and time-consuming work… Deployment took less
than 20 minutes. Protection was immediate.”
David Feng, IT Director, Sporton
Cut the cost of managing IM security by 50%
and reduced viruses by 20% with FSOCS
Convergent
IT Consulting Firm
“From research to maintenance, Forefront Security for Office
Communications Server saves the company time, and ultimately
money.”
Rand Morimoto, President, Convergent Computing
Using FSOCS on OCS 2007 R2 Enterprise Edition internally across
6 servers for federated users and public IM
Deployed to pharmaceutical and State of California customers
with tens of thousands of users to address compliance concerns
Securing IM with FSOCS
Summary
Part of the Forefront Security Suite and Microsoft
Enterprise CAL
Deploy FSOCS with every OCS and OCS R2
deployment!
A public forum on Microsoft TechNet is available:
http://social.technet.microsoft.com/Forums/enUS/forefrontOCS/threads/
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training Resources
Related Content
SIA318 – Protection : Next Generation of Messaging and Collaboration
SIA319 – Protection : Targeting Spam with Microsoft Forefront
SIA01-INT – Next Generation Messaging and Collaboration Protection Drilldown
SIA11-HOL – Overview of Microsoft Forefront Code Name “Stirling” (Beta)
SIA13-HOL – FSE Beta 2 (AntiSpam and AntiMalware)
SIA14-HOL – FSSP Beta 2 (AntiMalware)
Complete an
evaluation on
CommNet and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.