Course 5049A Managing Messaging Security Using Microsoft Exchange Server 2007

5049A: Managing Messaging Security Using Microsoft® Exchange Server 2007

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links are provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright © 2007 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, BizTalk, ForeFront, Internet Explorer, MSDN, MS-DOS, Outlook, PowerPoint, SharePoint, SmartScreen, Visual SourceSafe, Visual Studio, Windows, Windows NT, Windows PowerShell, Windows Server, Windows Vista, and Windows FX are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Product Number: 5049AT Part Number: X13-54212 Released: 02/2007

MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft

• updates,

• supplements,

• Internet-based services, and

• support services

for this Licensed Content, unless other terms accompany those items. If so, those terms apply.

By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content.

If you comply with these license terms, you have the rights below.

1. DEFINITIONS.

a. “Academic Materials” means the printed or electronic documentation such as manuals, workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content.

b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions location, an IT Academy location, or such other entity as Microsoft may designate from time to time.

c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or “MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course.

d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.

e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or analog device.

f. “Licensed Content” means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course.

g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content.

h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.

i. “Student Content” means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course.

j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.

k. “Trainer Content” means the materials accompanying these license terms that are for use by Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content

may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course.

l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

m. “Virtual Machine” means a virtualized computing experience, created and accessed using Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.

2. OVERVIEW.

Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media.

License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.

3. INSTALLATION AND USE RIGHTS.

a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:

i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR

ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session.

iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms.

iv. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.

v. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.

b. Trainers:

i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.

ii. Trainers may also Use a copy of the Licensed Content as follows:

A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session.

B. Portable Device. You may install another copy on a portable device solely for your own personal training Use and for preparation of an Authorized Training Session.

4. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

a. Authorized Learning Centers and Trainers:

i. Software.

Virtual Hard Disks. The Licensed Content may contain versions of Microsoft Windows XP, Windows Server 2003, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks.

A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply:

TIME-SENSITIVE SOFTWARE. If the Software is not re-launched, it will stop running one hundred eighty days after you install it. You will not receive notice before it stops running. You may not be able to access data used or information stored with the Software when it stops running and/or when it is re-launched. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session.

B. If the Virtual Hard Disks require a product key to launch, then these terms apply:

Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key.

C. These terms apply to all Virtual Machines and Virtual Hard Disks:

You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements:

o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks.

o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations.

o You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations.

o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them.

o You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.

o You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.

o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.

ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training Session will be done in accordance with the classroom set-up guide for the Course.

iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content

solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use.

iv Evaluation Software. Any Software that is included in the Student Content designated as “Evaluation Software” may be used by Students solely for their personal training outside of the Authorized Training Session.

b. Trainers Only:

i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.

ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement.

iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:

• The use of the Academic Materials will be only for your personal reference or training use

• You will not republish or post the Academic Materials on any network computer or broadcast in any media;

• You will include the Academic Material’s original copyright notice, or a copyright notice to Microsoft’s benefit in the format provided below:

Form of Notice:

© 2006 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved.

Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.

iv. Distributable Code. The Licensed Content may contain code that you are permitted to distribute in programs you develop if you comply with the terms below.

A. Right to use and Distribute. The code and text files listed below are “Distributable Code.”

• REDIST.TXT Files. You may copy and distribute the object code form of code listed in REDIST.TXT files.

• Sample Code. You may modify, copy, and distribute the source and object code form of code marked as “sample.”

• OTHER-DIST.TXT Files. You may copy and distribute the object code form of code listed in OTHER-DIST.TXT files.

• Third Party Distribution. You may permit distributors of your programs to copy and distribute the Distributable Code as part of those programs.

B. Distribution Requirements. For any Distributable Code you distribute, you must

• add significant primary functionality to it in your programs;

• require distributors and external end users to agree to terms that protect it at least as much as this agreement;

• display your valid copyright notice on your programs; and

• indemnify, defend, and hold harmless Microsoft from any claims, including attorneys’ fees, related to the distribution or use of your programs.

C. Distribution Restrictions. You may not

• alter any copyright, trademark or patent notice in the Distributable Code;

• use Microsoft’s trademarks in your programs’ names or in a way that suggests your programs come from or are endorsed by Microsoft;

• distribute Distributable Code to run on a platform other than the Windows platform;

• include Distributable Code in malicious, deceptive or unlawful programs; or

• modify or distribute the source code of any Distributable Code so that any part of it becomes subject to an Excluded License. An Excluded License is one that requires, as a condition of use, modification or distribution, that

• the code be disclosed or distributed in source code form; or

• others have the right to modify it.

5. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone else’s use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.

6. Scope of License. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not

• install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session;

• allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server;

• copy or reproduce the Licensed Content to any server or location for further reproduction or distribution;

• disclose the results of any benchmark tests of the Licensed Content to any third party without Microsoft’s prior written approval;

• work around any technical limitations in the Licensed Content;

• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation;

• make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation;

• publish the Licensed Content for others to copy;

• transfer the Licensed Content, in whole or in part, to a third party;

• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use;

• rent, lease or lend the Licensed Content; or

• use the Licensed Content for commercial hosting services or general business purposes.

• Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.

7. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.

8. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as “NFR” or “Not for Resale.”

9. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as “Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country.

10. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts.

11. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the Licensed Content and support services.

12. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.

13. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

14. Disclaimer of Warranty. The Licensed Content is licensed “as-is.” You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.

15. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to

• anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and

• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.

Cette limitation concerne:

• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et

• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.

Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.

Contents xi

Table of Contents

Introduction Introduction ...................................................................................................................................... iii Course Materials.............................................................................................................................. iv Microsoft Learning Product Types................................................................................................... vi Microsoft Learning ......................................................................................................................... viii Microsoft Certification Program ........................................................................................................x Facilities......................................................................................................................................... xiv About This Course.......................................................................................................................... xv Prerequisites................................................................................................................................. xvii Course Outline............................................................................................................................... xix Setup .............................................................................................................................................. xx Demonstration: Using Microsoft Virtual Server ............................................................................ xxii

Module 1: Maintaining Antivirus and Anti-spam Systems Overview....................................................................................................................................... 1-1 Lesson 1: Introduction to Antivirus and Anti-Spam Management ................................................ 1-2 Lesson 2: Implementing Anti-Spam Features ............................................................................ 1-11 Lesson 3: Implementing Antivirus Features ............................................................................... 1-40 Lab: Maintaining Antivirus and Anti-Spam Systems................................................................... 1-51

Module 2: Configuring Edge Transport Servers Overview....................................................................................................................................... 2-1 Lesson 1: Deploying Edge Transport Servers.............................................................................. 2-2 Lesson 2: Configuring Internet Message Delivery...................................................................... 2-24 Lesson 3: Configuring Security for Internet E-Mail..................................................................... 2-34 Lab: Configuring Edge Transport Servers.................................................................................. 2-52

Module 3: Implementing Messaging Policies Overview....................................................................................................................................... 3-1 Lesson 1: Introducing Messaging Policy and Compliance........................................................... 3-2 Lesson 2: Implementing Messaging Records Management ........................................................ 3-9 Lesson 3: Implementing Transport and Journaling Rules.......................................................... 3-18 Lab: Implementing Messaging Policies ...................................................................................... 3-32 Course Evaluation ...................................................................................................................... 3-38

Introduction

Table of Contents Introduction iii Course Materials iv Microsoft Learning Product Types vi Microsoft Learning viii Microsoft Certification Program x Facilities xiv About This Course xv Prerequisites xvii Course Outline xix Setup xx Demonstration: Using Microsoft Virtual Server xxii

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links are provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2007 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, BizTalk, ForeFront, Internet Explorer, MSDN, MS-DOS, Outlook, PowerPoint, SharePoint, SmartScreen, Visual SourceSafe, Visual Studio, Windows, Windows NT, Windows PowerShell, Windows Server, Windows Vista, and Windows FX are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Version 1.1

Introduction iii

Introduction

iv Introduction

Course Materials

The following materials are included with your kit:

• Student workbook. The student workbook contains the material covered in class. • Student Materials CD. The Student Materials CD contains a Web page that provides

you with links to resources pertaining to this course, including additional readings, discussion answer keys, multimedia presentations, and course-related Web sites.

Note: To open the Web page, insert the Student Materials CD into the CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.

• Course evaluation. At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.

To provide additional comments or feedback on the course, send e-mail to [email protected]. To inquire about the Microsoft® Certification Program, send e-mail to [email protected].

Introduction v

Document Conventions The following conventions are used in course materials to distinguish elements of the text.

Convention Use

Bold Represents commands, command options, and syntax that must be typed exactly as shown. It also indicates commands on menus and buttons, dialog box titles and options, and icon and menu names.

Italic In syntax statements or descriptive text, indicates argument names or placeholders for variable information. Italic is also used for introducing new terms, for book titles, and for emphasis in the text.

Title Capitals Indicate domain names, user names, computer names, directory names, and folder and file names, except when specifically referring to case-sensitive names. Unless otherwise indicated, you can use lowercase letters when you type a directory name or file name in a dialog box or at a command prompt.

ALL CAPITALS Indicate the names of keys, key sequences, and key combinations— for example, ALT+SPACEBAR.

monospace Represents code samples or examples of screen text.

[ ] In syntax statements, enclose optional items. For example, [filename] in command syntax indicates that you can choose to type a file name with the command. Type only the information within the brackets, not the brackets themselves.

{ } In syntax statements, enclose required items. Type only the information within the braces, not the braces themselves.

| In syntax statements, separates an either/or choice.

Indicates a procedure with sequential steps.

... In syntax statements, specifies that the preceding item may be repeated.

.

.

.

Represents an omitted portion of a code sample.

vi Introduction

Microsoft Learning Product Types

Microsoft Learning offers the following instructor-led products. Each is specific to a particular audience type and level of experience. The different product types also tend to suit different learning styles. These types are as follows:

• Courses are for information technology (IT) professionals and developers who are new to a particular product or technology and for experienced individuals who prefer to learn in a traditional classroom format. Courses provide a relevant and guided learning experience that combines lecture and practice to deliver thorough coverage of a Microsoft product or technology. Courses are designed to address the needs of learners engaged in planning, design, implementation, management, and support phases of the technology adoption life-cycle. They provide detailed information by focusing on concepts and principles, reference content, and in-depth, hands-on lab activities to ensure knowledge transfer. Typically, the content of a course is broad, addressing a wide range of tasks necessary for the job role.

• Workshops are also for knowledgeable IT professionals and developers who learn best by doing and exploring. Workshops provide a hands-on learning experience in which participants use Microsoft products in a safe and collaborative environment based on real-world scenarios.

Introduction vii

• iWorker courses or Information Worker Courses are scenario-based courseware lines to compete in the desktop applications market. This scenario-based courseware line will fill a need for applications training that supports on-the-job performance improvement with business and productivity solutions (rather than feature-based training). The purpose of an iWorker course is to promote skills/ knowledge transfer in the context of business scenarios to accomplish business objectives by working individually or collaboratively to find answers. iWorker courses are aimed at users who have working knowledge of the technology and are interested in applying that knowledge in specific business scenarios.

• Clinics are for IT professionals, developers, and technical decision makers. Clinics offer a detailed “how to” presentation that describes the features and functionality of an existing or new Microsoft product or technology, and that showcases product demonstrations and solutions. Clinics focus on how specific features will solve business problems.

• First-look Clinics are products specifically designed to deliver early content or critical information that Product Groups or other internal customers need communicated quickly and broadly. The First Look products convey knowledge-based (not skills-based) information to an audience profile identified as high-level Business Decision Makers.

• Hands-on Labs provide IT professionals and developers with hands-on experience with an existing or new Microsoft product or technology. Hands-on labs provide a realistic and safe environment to encourage knowledge transfer by learning through doing. The labs provided are completely prescriptive so that no lab answer keys are required. There is very little lecture or text content provided in hands-on labs, aside from lab introductions, context setting, and lab reviews.

viii Introduction

Microsoft Learning

Microsoft Learning develops Official Microsoft Learning Product (OMLP) courseware for computer professionals who design, develop, support, implement, or manage solutions by using Microsoft products and technologies. These learning products provide comprehensive, skills-based training in instructor-led and online formats.

Additional Recommended Learning Products Each learning product relates in some way to other learning products. A related product may be a prerequisite, a follow-up course, clinic, or course in a recommended series, or a learning product that offers additional training.

Messaging Technology Specialist Curriculum for Microsoft Exchange Server 2007 The Messaging Technology Specialist curriculum is designed to enable professionals to target specific technologies and distinguish themselves by demonstrating in-depth knowledge and expertise in the broad range of specialized technologies. Microsoft Technology Specialists are consistently capable of implementing, building, troubleshooting, and debugging a particular Microsoft technology.

Introduction ix

It is recommended that you take the following learning products in this order:

• Course 5047A: Introduction to Installing and Managing Microsoft Exchange Server 2007

• Course 5049A: Managing Messaging Security Using Microsoft Exchange Server 2007

• Course 5050A: Recovering Messaging Servers and Databases Using Microsoft Exchange Server 2007

• Workshop 5051A: Monitoring and Troubleshooting Microsoft Exchange Server 2007

Other related learning products may become available in the future, so for up-to-date information about recommended learning products, visit the Microsoft Learning Web site.

Microsoft Learning Information For more information, visit the Microsoft Learning Web site at http://www.microsoft.com/learning/.

x Introduction

Microsoft Certification Program

Microsoft Learning offers a variety of certification credentials for developers and IT professionals. The Microsoft Certification Program (MCP) is the leading certification program for validating your experience and skills, keeping you competitive in today’s changing business environment.

Related Certification Exams This course helps students to prepare for Exam 70-236, TS: Exchange Server 2007, Configuring.

Exam 70-236 is a core exam for the Technology Series.

MCP Certifications The MCP program includes the following certifications.

MCITP

The new Microsoft Certified IT Professional (MCITP) credential allows IT professionals to distinguish themselves as experts in their specific area of focus. There is a straightforward upgrade path from the MCDBA certification to the new MCITP credentials. There are currently three IT Professional certifications—in database development, database administration, and business intelligence:

• Microsoft Certified IT Professional: Database Developer • Microsoft Certified IT Professional: Database Administrator • Microsoft Certified IT Professional: Business Intelligence Developer

Introduction xi

MCPD

The Microsoft Certified Professional Developer (MCPD) credential highlights developer job roles, featuring specific areas of expertise. There is a straightforward upgrade path from the MCAD and MCSD for Microsoft .NET certifications to the new MCPD credentials. There are three MCPD certification paths—in Web application development, Windows development, and enterprise applications development:

• Microsoft Certified Professional Developer: Web Developer • Microsoft Certified Professional Developer: Windows Developer • Microsoft Certified Professional Developer: Enterprise Applications Developer

MCTS

The Microsoft Certified Technology Specialist (MCTS) credential enables professionals to target specific technologies and distinguish themselves by demonstrating in-depth knowledge of and expertise in the technologies with which they work. There are currently five MCTS certifications:

• Microsoft Certified Technology Specialist: .NET Framework 2.0 Web Applications • Microsoft Certified Technology Specialist: .NET Framework 2.0 Windows

Applications • Microsoft Certified Technology Specialist: .NET Framework 2.0 Distributed

Applications • Microsoft Certified Technology Specialist: SQL Server™ 2005 • Microsoft Certified Technology Specialist: BizTalk® Server

MCDST on Microsoft Windows®

The Microsoft Certified Desktop Support Technician (MCDST) certification is designed for professionals who successfully support and educate end users and troubleshoot operating system and application issues on desktop computers running the Windows operating system.

MCSA on Microsoft Windows Server® 2003

The Microsoft Certified Systems Administrator (MCSA) certification is designed for professionals who implement, manage, and troubleshoot existing network and system environments based on the Windows Server 2003 platform. Implementation responsibilities include installing and configuring parts of systems. Management responsibilities include administering and supporting systems.

xii Introduction

MCSE on Microsoft Windows Server 2003

The Microsoft Certified Systems Engineer (MCSE) credential is the premier certification for professionals who analyze business requirements and design and implement infrastructure for business solutions based on the Windows Server 2003 platform. Implementation responsibilities include installing, configuring, and troubleshooting network systems.

MCAD for Microsoft .NET

The Microsoft Certified Application Developer (MCAD) for Microsoft .NET credential provides industry recognition for professional developers who use Microsoft Visual Studio® .NET and Web services to develop and maintain department-level applications, components, Web or desktop clients, or back-end data services, or who work in teams developing enterprise applications. The credential covers job tasks ranging from developing to deploying and maintaining these solutions.

MCSD for Microsoft .NET

The Microsoft Certified Solution Developer (MCSD) for Microsoft .NET credential is the top-level certification for advanced developers who design and develop leading-edge enterprise solutions by using Microsoft development tools and technologies as well as the Microsoft .NET Framework. The credential covers job tasks ranging from analyzing business requirements to maintaining solutions.

MCDBA on Microsoft SQL Server 2000

The Microsoft Certified Database Administrator (MCDBA) credential is the premier certification for professionals who implement and administer SQL Server 2000 databases. The certification is appropriate for individuals who derive physical database designs, develop logical data models, create physical databases, create data services by using Transact-SQL, manage and maintain databases, configure and manage security, monitor and optimize databases, and install and configure SQL Server.

MCP

The Microsoft Certified Professional (MCP) credential is for individuals who have the skills to successfully implement a Microsoft product or technology as part of a business solution in an organization. Hands-on experience with the product is necessary to successfully achieve certification.

MCT

Microsoft Certified Trainers (MCTs) demonstrate the instructional and technical skills that qualify them to deliver Official Microsoft Learning Products through a Microsoft Certified Partner for Learning Solutions (CPLS).

Introduction xiii

Certification Requirements

Certification requirements differ for each certification category and are specific to the products and job functions addressed by the certification. To earn a certification credential, you must pass rigorous certification exams that provide a valid and reliable measure of technical proficiency and expertise.

Additional Information: See the Microsoft Learning Web site at http://www.microsoft.com/learning/. You can also send e-mail to [email protected] if you have specific certification questions.

Acquiring the Skills Tested by an MCP Exam Official Microsoft Learning Products can help you develop the skills that you need to do your job. They also complement the experience that you gain while working with Microsoft products and technologies. However, no one-to-one correlation exists between Official Microsoft Learning Products and MCP exams. Microsoft does not expect or intend for the courses to be the sole preparation method for passing MCP exams. Practical product knowledge and experience are also necessary to pass MCP exams.

To help prepare for MCP exams, use the preparation guides that are available for each exam. Each Exam Preparation Guide contains exam-specific information, such as a list of the topics on which you will be tested. These guides are available on the Microsoft Learning Web site at http://www.microsoft.com/learning/.

xiv Introduction

Facilities

Introduction xv

About This Course

This section provides you with a brief description of the course, objectives, and target audience.

Description This one-day course teaches messaging specialists how to manage messaging security and hygiene. You will learn to manage messaging and connection security, and manage spam, anti-virus, and content filtering. You will also learn how to install and configure an Edge Transport server. Additionally, you will learn to configure messaging policies in Exchange Server 2007.

Objectives After completing this course, you will be able to:

• Manage anti-spam and antivirus features. • Configure edge transport servers. • Implement message policies.

xvi Introduction

Audience The audience for this course includes people with experience with Exchange Server 2007 or previous versions of Exchange Sever. These people will have experience installing and configuring Exchange Server, configuring recipients and mailboxes, and supporting Exchange Server clients. Additionally, this audience is for people who are enterprise-level messaging administrators. People entering this course should have at least three years experience working in the Information Technology field—typically in the areas of network administration or Windows Server administration—and one year of Exchange Server administration experience.

Introduction xvii

Prerequisites

This course requires that you meet the following prerequisites:

• Working knowledge of malware. For example, approaches to scanning for viruses (client-based, SMTP-based, Exchange-based), methods that worms use to propagate, and basic concepts of spam, phishing schemes, and unwelcome message content.

• Working knowledge of how the directory manages Public Key Infrastructure (PKI). • Working knowledge of Windows Server 2003 operating system. For example, how

storage is configured, basic backup and restore techniques, and what a client/server application interaction means.

• Working knowledge of network technologies. For example, what TCP/IP and Domain Name System (DNS) do and how to use them, and basic routing concepts (Wide Area Network (WAN) vs. Local Area Network (LAN), router vs. switch vs. hub).

• Working knowledge of the Active Directory® directory service. For example, how it manages user objects; what is stored in Active Directory partitions; basic architectures (domain, forest, sites, etc.); how it manages domain controllers; site and site connector configuration; schema and configuration partitions; and Global Catalogs.

• Working knowledge of Exchange Server 2007. For example, what the different server roles are, how the roles interact, what protocols the server roles use to communicate, to which roles the clients connect, and how to configure messaging recipients and Exchange Server 2007 computers.

xviii Introduction

• Conceptual understanding of firewalls. For example, how Simple Mail Transfer Protocol (SMTP) messages are allowed through a firewall.

• Conceptual understanding of e-mail technologies. For example, that SMTP is a protocol used for e-mail and the differences between transport protocols and client access protocols (Post Office Protocol (POP), Internet Message Access Protocol (IMAP), SMTP).

• Experience using these tools and applications: • NTBackup

• NSLookup

• Windows Explorer

• Microsoft Management Console (MMC)

• Active Directory Users and Computers

• Active Directory Sites and Services

• Internet Information Services (IIS Admin

• Microsoft Office Outlook® 2003

• Completion of the following course, or equivalent knowledge: • Course 5047A: Introduction to Installing and Managing Microsoft Exchange

Server 2007

Important: This learning product will be most useful to people who intend to use their new skills and knowledge on the job immediately after training.

Introduction xix

Course Outline

Module 1: “Maintaining the Antivirus and Anti-Spam Systems” explains that one of the most significant issues in managing any messaging system is protecting the organization from unsolicited commercial e-mail (spam) and computer viruses that are transmitted by e-mail. These types of messages cost organizations significant amounts of money due to loss of productivity for users, or damage to the organization’s computers. In this module, you will learn what the tools are that Exchange Server 2007 provides for filtering most of these types of messages before they enter the Exchange Server organization.

Module 2, “Configuring Edge Transport Servers” describes the Edge Transport server role in Exchange Server 2007. The Edge Transport server role in Exchange Server 2007 is designed to provide spam filtering functionality and to provide options for securing Internet e-mail. This module describes how to deploy and configure Edge Transport servers.

Module 3: “Implementing Messaging Policies” discusses the new tools in Exchange Server 2007 for coping with a growing number of legal, regulatory, and internal policy and compliance requirements that relate to e-mail. Most organizations must be able to filter e-mail delivery based on different criteria and manage e-mail retention and deletion. This module provides details on how to configure the Exchange Server 2007 messaging policy and compliance features.

xx Introduction

Setup

This section provides the information for setting up the classroom environment to support the course’s business scenario.

Virtual Machine Configuration In this course, you will use Microsoft Virtual Server 2005 to perform the hands-on practices and labs.

Important: At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps: 1. On the host computer, click Start, point to All Programs, point to Microsoft Virtual Server, and then click Virtual Server Administration Website. 2. Under Navigation, click Master Status. For each virtual machine that is running, point to the virtual machine name, and, in the context menu, click Turn off Virtual Machine and Discard Undo Disks. Click OK.

Introduction xxi

The following table shows the role of each virtual machine used in this course:

Virtual machine Role

CAI-DC1 The domain controller for the Adatum.com domain and primary Exchange Server for practices and labs.

CAI-Edge1 This server used as a server running the Edge Transport server role in the practices and labs.

CAI-CL1 This computer is used as a client computer running Office Outlook 2007 in the practices and labs.

CAI-SRV1 This computer is used as an SMTP and POP3 server to simulate an external SMTP server in the practices and lab.

Software Configuration The following software is installed on the VM:

• Windows Server 2003, Service Pack 1, or Windows XP, Service Pack 2 • Exchange Server 2007 • Microsoft Office Outlook 2007

Classroom Setup Each classroom computer will have the same virtual machine configured in the same way.

Course Hardware Level To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught. This course requires that you have a computer that meets or exceeds hardware level 5, which specifies a 2.4–gigahertz (minimum) Pentium 4 or equivalent CPU, at least 2 gigabytes (GB) of RAM, 16 megabytes (MB) of video RAM, and a 7200 RPM 40-GB hard disk.

xxii Introduction

Demonstration: Using Microsoft Virtual Server

Ask if students are familiar with Microsoft Virtual PC and Virtual Server. If they are not, spend a few minutes describing how these tools work and describe the differences between Virtual PC and Virtual Server. Demonstrate how to perform each of the following tasks in Virtual Server. Stress the importance of shutting down the virtual machines and discarding the undo disks.

Virtual Server Demonstration In this demonstration, your instructor will help familiarize you with the Virtual Server environment in which you will work to complete practices and labs in this course. You will learn:

• How to connect to the Virtual Server Administration Website. • How to configure virtual machine configurations using the Virtual Server

Administration Website. • How to connect to a virtual machine using the Virtual Machine Remote Control

Client. • How to shut down a virtual machine without saving any changes.

Introduction xxiii

Keyboard Shortcuts While working in the Virtual Machine Remote Control Client environment, you might find it helpful to use keyboard shortcuts. All Virtual Server shortcuts include a key that is referred to as the HOST key or the RIGHT-ALT key. By default, the HOST key is the ALT key on the right side of your keyboard. Some useful shortcuts include:

• RIGHT-ALT+DELETE to log on to the Virtual PC. • RIGHT-ALT+ENTER to switch between full-screen and window modes.

For more information about using Virtual Server, see Virtual Server Help.

Module 1: Maintaining Antivirus and Anti-Spam Systems

Table of Contents Overview 1-1

Lesson 1: Introduction to Antivirus and Anti-Spam Management 1-2

Lesson 2: Implementing Anti-Spam Features 1-11 Lesson 3: Implementing Antivirus Features 1-40 Lab: Maintaining Antivirus and Anti-Spam

Systems 1-51







Version 1.1

Module 1: Maintaining Antivirus and Anti-Spam Systems 1-1

Overview

One of the most significant issues in managing any messaging system is protecting the organization from unsolicited commercial e-mail (spam) and computer viruses that are transmitted by e-mail. These types of messages cost organizations significant amounts of money due to productivity loss for users or damage to the organization’s computers. Exchange Server 2007 provides tools for filtering most of these types of messages before they enter the Exchange Server organization.

Objectives After completing this module, you will be able to:

• Explain how to manage antivirus and anti-spam solutions. • Implement anti-spam features. • Implement antivirus features.

1-2 Module 1: Maintaining Antivirus and Anti-Spam Systems

Lesson 1: Introduction to Antivirus and Anti-Spam Management

Protecting an organization from spam and viruses is an ongoing task for messaging administrators. As message administrators deploy new technologies and employ new strategies for stopping these messages at the network edge, spam writers and virus writers develop new techniques to bypass the antivirus and anti-spam solutions. As a messaging administrator, you must be prepared to address current and future spam and virus threats.

Objectives After completing this lesson, you will be able to:

• Describe the current state of virus and spam control. • Describe the defense-in-depth approach. • Describe what Exchange Hosted Services are. • Explain how Exchange Hosted Services works.


Discussion: The Current State of Virus and Spam Control

The types of spam and viruses that messaging administrators need to deal with are constantly changing. In this discussion, detail your experiences with spam and viruses.

Discussion Questions Consider the following questions in your discussion:

Q: Do you consider spam and viruses big problems in your organizations? Approximately what percentage of your organization’s e-mail messages is spam?

A: Possible answers: The answers will vary among students, depending on the current state of their organizations’ virus and spam control. Some organizations have very effective defenses against these types of e-mail messages, and it may not be an issue. Other organizations may have significant problems with these types of e-mail messages. As spam and virus writers develop new techniques to bypass spam and virus defenses, more students will see this as a significant issue.

Q: How are you protecting your network from spam and virus issues?

A: Answers will vary. Some organizations may be using the Exchange Server 2007 or Exchange Server 2003 tools. Other organizations may be using third-party solutions.


Q: How do spam writers try to defeat your defenses?

A: Answers will vary. As the defenses against spam improve, spam writers will constantly try new ways to evade the defenses, including:

• Using open relays to forward spam (to defeat block lists). An open relay is a Simple Mail Transfer Protocol (SMTP) server that allows unauthorized users who are outside the organization to send e-mail messages to other users who are outside the organization. On the recipient e-mail server, the messages originate from the open relay server.

• Spoofing source IP addresses and source domains (to defeat block lists). When spam writers spoof IP addresses and source domains, they substitute a false IP address as the source address or a false domain name as the source domain name.

• Encrypting message comments to defeat content scanning. • Phishing e-mail messages. Phishing e-mail messages are sent to a user falsely

claiming to be a legitimate enterprise to encourage the user to provide private information. Phishing e-mail messages often direct the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers. This information often is used for identity theft.

Q: How do virus writers try to defeat your defenses?

A: Answers will vary. As the defenses against viruses get better, virus writers will constantly try new ways to get around the defenses. These techniques include encrypting message comments to defeat content scanning.

Q: How successful are your protection mechanisms?

A: Answers will vary. Antivirus software vendors are very responsive to any new virus outbreaks, and most organizations have implemented very effective antivirus solutions. So typically, the protection mechanisms can be very effective for an extended time. However, as virus writers develop viruses that are significantly different from any previously seen, organizations can still suffer significant virus damage.


Defense-in-Depth Approach to Antivirus and Anti-Spam Management

To protect your network from spam and viruses that are constantly changing, it is important to deploy your defense at multiple layers in your organization.

What Is a Defense-in-Depth Approach? A defense-in-depth approach enhances your network’s security by deploying defenses at different network locations or levels. For example, to secure your network, you deploy a firewall at the network edge, but you also secure all servers and clients behind that firewall by deploying host-based firewalls, implementing network segments, and physically securing computers and network devices.

One of the key components in a defense-in-depth approach to security is to design each layer as if it were the only security layer in place to prevent a security breach. This means that each layer is designed carefully and maintained to ensure that the layer remains secure if the other layers are compromised.


Applying the Defense-in-Depth Model to the Messaging Organization Applying the defense-in-depth security model to your messaging organization means that you will implement defenses against viruses and spam at multiple levels in the organization. These levels include:

• Client computer-based solutions. You should install and maintain client-side antivirus software on all of the clients that connect to your network, including remote clients. Additionally, you should enable the anti-spam and anti-phishing features available in messaging clients such as Microsoft® Office Outlook® 2007 and Office Outlook 2003, and the anti-phishing features in Microsoft Internet Explorer® 7.

• Exchange Server-based solutions. You should also install server-side antivirus software on every Mailbox server and Hub Transport server in your organization. On Mailbox servers, antivirus software scans mailbox and public folder databases. On Hub Transport servers, antivirus software scans messages as they are sent between users. You also can deploy spam filters on Hub Transport servers to filter messages for spam sent inside your organization.

Caution: Any file-level scan of your Exchange Server must exclude Exchange database files (*.edb and *.log files) from being scanned. This prevents antivirus software from corrupting the database when it attempts to clean a virus from one of these files.

• Internet edge-based solutions. Antivirus and anti-spam software should also be deployed on the SMTP server that is directly accessible from the Internet. This software scans files as they enter the organization, thereby stopping the viruses and spam before they get into, or out of, the network. Most SMTP gateway antivirus and anti-spam software enables you to specify how spam or messages with viruses are processed. For example, you can: • Configure the software to remove an attachment containing virus.

• Send a notification e-mail message to an administrator.

• Hold the suspect message in quarantine for later review.

The Edge Transport server role in Exchange Server 2007 is designed to operate as the Internet edge-based solution for SMTP e-mail messages.

• User-based solutions. The defense-in-depth model also includes a user education and policy component. Your antivirus and anti-spam strategy should include a plan for educating users about viruses and spam. Educating users includes making them aware of current threats, as well as the importance of keeping their computer systems up-to-date with the latest signature files and security updates. If you educate users, they may help prevent a virus from spreading if it infects their system.


What Is Exchange Hosted Services?

Microsoft Exchange Hosted Services provides another layer in the defense-in-depth model for messaging security. With Exchange Hosted Services, you can transfer the management of key messaging security functions to a hosted solution outside your organization, without making changes to your existing e-mail infrastructure. This means that the most critical security issues related to e-mail messages are dealt with well before the e-mail messages reach your SMTP gateway servers.

Managed Message-Related Services Microsoft Exchange Hosted Services offers managed message-related services, including e-mail and instant message archival, content and policy enforcement, protection against spam and viruses, disaster recovery, e-mail encryption, and e-mail continuity. These services fall into four broad categories.

• Exchange Hosted Archive. Many organizations are required by law to retain certain messages. Because of the amount of business that is conducted by e-mail, many organizations would like to preserve electronic records in much the same way as they currently preserve paper records. Exchange Hosted Services provides a messaging archive solution that organizations can use to ensure that the messages meeting specified criteria are archived at the Exchange Hosted Services data center. The messages in the archive are accessible to users within the organization.


• Exchange Hosted Continuity. As organizations increasingly rely on e-mail communication, the impact of losing message-related services becomes critical. Exchange Hosted Services can provide services that ensure continuous access to messaging services during network outages. All Internet messages are sent first to the Exchange Hosted Services messaging servers, and these messages can be queued at the service location for five days if the organization’s mail servers are not available. Users can access the messages at the Exchange Hosted Services location. In addition, all messages sent to the organization from the Internet or internally within the organization can be stored at the Exchange Hosted Services location for 30 days.

• Exchange Hosted Filtering. Exchange Hosted Services provides complete filtering services to block unwanted e-mail messages from entering the organization. Exchange Hosted Services uses at least three different antivirus engines to scan all messages. Exchange Hosted Services also applies anti-spam filters and policy enforcement based on the organization’s requirements for inbound and outbound messages.

• Exchange Hosted Encryption. Organizations can use Exchange Hosted Encryption to send secured e-mail messages to recipients in other organizations. Exchange Hosted Encryption uses Identity-Based Encryption (IBE) technology, which uses a recipient’s e-mail address as the public key rather than requiring a client certificate on each client.

Note: For more information on Microsoft Exchange Hosted Services, see the Microsoft Exchange Hosted Services site at http://www.microsoft.com/exchange/ services/default.mspx.


How Exchange Hosted Services Works

As a messaging administrator, you should know that Exchange Hosted Services is a subscriber-based service. When an organization subscribes to the service, the mail exchange (MX) resource record in the Domain Name System (DNS) that identifies the organization is modified. The MX resource record then routes messages to the messaging servers located in Microsoft data centers.

The following points describe how Exchange Hosted Services integrates with an organization’s e-mail infrastructure:

• Inbound messages. Because the Exchange Hosted Services messaging servers are identified by the MX records as the organization’s messaging servers, all inbound messages are sent to one of the Exchange Hosted Services data centers. All inbound messages are filtered for viruses and spam, and policies are applied to the messages. The messages are then forwarded, using secure SMTP e-mail, to the organization’s message servers. Users can then access e-mail using their regular e-mail clients. Users also can access e-mail messages directly on the Exchange Hosted Services servers if the local messaging service fails.


Best Practice: As a security best practice, you should configure the SMTP gateway server on your network to accept only SMTP connections from Exchange Hosted Services messaging servers. This prevents anyone from sending messages directly to your organization. The configuration process for an Exchange Server 2007 Edge Transport server to accept connections from only specific external SMTP hosts is discussed in the next module.

• Outbound messages. All outbound messages can also be sent through the Exchange Hosted Services messaging servers for antivirus scanning and policy application.

• Message archival. All messages sent from the Internet are scanned and the archival policies are applied to the messages. Additionally, all messages sent within the organization are copied to the Exchange Hosted Services messaging servers, where the archival rules are applied to the messages. Users can access the archived messages with a secure Web interface.

• Message encryption. When a user sends a secure e-mail message, the message is sent directly from the client to a gateway server at the Exchange Hosted location. The message is encrypted using Transport Layer Security (TLS). When a message is encrypted, a private key for the recipient is created and stored at the Exchange Hosted Services location. Upon receiving an encrypted message, the recipient completes a two-step authentication process through e-mail answerback to verify the recipient’s identity. After completing the authentication process, the recipient can decrypt, view, and reply to the message using a clientless, browser-based method named Zero Download Messenger (ZDM). The encrypted message also remains accessible in the recipient’s e-mail inbox.


Lesson 2: Implementing Anti-Spam Features

Exchange Server 2007 provides a comprehensive set of anti-spam features. Implementing these features enables you to decrease significantly the spam that your organization receives.


• List spam filtering requirements. • Explain how connection filtering works. • Explain how real-time block lists work. • Configure sender and recipient filtering. • Explain how sender ID filtering works. • Explain how content filtering works. • Explain how sender reputation filtering works. • Explain how safelist aggregation works. • Explain how Exchange Server 2007 applies spam filters.


Discussion: Spam Filtering Requirements

There are many different spam filtering solutions available, with each solution providing similar features. As you select the appropriate spam filtering solution for your organization, there are several factors to consider.


Q: What functionality do you look for in a spam filtering solution?

A: Answers should include options such as:

• Blocking specific IP addresses of known spam senders. • Blocking specific senders or specific domains. • Blocking messages based on message content. • Blocking messages based on external providers such as real-time block list providers. • Options for tuning the spam filtering solution to reduce false positives. • Blocking as much spam as possible at the Internet edge.


Q: What kind of administrative features do you look for?

A: Answers should include features such as:

• Integration with current administrative tools. • Easy access to quarantine locations and easy detection of false positives. • Easy access to reports that provide details on spam senders, spam recipients, and the

number of messages archived and deleted. • Ability to suspend all spam filtering for specific mailboxes.

Q: What kind of client features do you look for?

A: Answers should include features such as:

• Users should be able to define approved sender lists and blocked sender lists. These lists should be propagated to the SMTP gateway server.

• Users should be able to tune the spam settings to a limited extent. • Users should be able to access quarantined messages and choose whether a message

is spam.


How Connection Filtering Works

As a messaging administrator, you should know how connection filtering works. Connection filtering determines what action to take on an inbound message based on the IP address of the remote SMTP server. When a remote SMTP server initiates an SMTP connection with the Exchange Server 2007 server, the Connection Filtering agent compares the remote server’s IP address to IP addresses defined by allow lists or block lists. By configuring the IP addresses for trusted SMTP servers in the IP Allow list, you can ensure that messages from those remote servers always are accepted. By adding the IP addresses of SMTP servers to the IP Block list, you can ensure that all SMTP connections from those servers are dropped before any message contents are accepted.

Note: The Connection Filtering agent is enabled by default on computers that have the Edge Transport server role installed. You can enable the agent on computers that have the Hub Transport server role installed. You should enable the Connection Filter agent only on the SMTP server that is directly accessible from the Internet. In most cases, this will be the Edge Transport server or a third-party SMTP gateway server.

When you enable the Connection Filter agent, the Connection Filter agent is the first anti-spam agent to run when an inbound message is evaluated.


IP Block Lists and IP Allow Lists When an inbound message is submitted to an Edge Transport server on which the Connection Filter agent is enabled, the source IP address of the SMTP connection is checked against IP Allow lists and IP Block lists. If the source IP address is listed on an IP Allow list, the message is sent to the destination without additional processing by other anti-spam agents. If the source IP address is listed on an IP Block list, the SMTP connection is dropped after all RCPT TO headers in the message are processed.

Note: The Connection Filter agent does not apply the IP Block lists or IP Allow lists until it processes the spam filtering configurations of the intended recipients. This information is provided by the RCPT TO header. If any of the intended recipients are configured to bypass all spam filtering, the connection will be accepted.

The IP Allow lists and IP Block lists must be manually configured by the Exchange Server administrator. When you configure these lists, you can assign individual IP addresses or address ranges. When you configure IP Block lists, you can also configure an expiration time so that connections from a specific IP address are blocked for a specific length of time. For example, you may choose to temporarily block the IP address of an SMTP server that you know is forwarding e-mail messages containing viruses.

Note: You can also configure IP Allow list providers and IP Block List providers in Exchange Server 2007. These lists also use connection filtering. The main difference is that by using list providers, you do not need to manually configure the IP Allow lists and IP Block lists.


How Real-Time Block Lists Work

Internet service providers compile real-time block lists (RBL) that contain the IP addresses of SMTP servers that propagate spam. To use RBL, you must subscribe to the Internet service provider. After you subscribe and your organization is authorized to query a provider’s RBL, you can configure an IP Block list provider on the Exchange Server. Use this list to query the RBL to verify the IP addresses of SMTP hosts attempting to send your organization mail.

RBL Limitations Although block lists can reduce the amount of unsolicited e-mail messages that you receive, they have some limitations, such as:

• Block lists also can block legitimate e-mail messages because some domains may be incorrectly on the block list. If a legitimate organization is mistakenly on an RBL, they must issue a request to the RBL provider to get their organization’s IP address removed from that list. Depending on the list provider, this request could take up to 72 hours. In this case, an exception filter rule should be created to temporarily allow affected e-mail to enter your organization. In most cases, legitimate organizations are added to RBLs because they allow open relaying. Open relaying or mail relaying is when an unauthorized user sends e-mail messages from another system’s e-mail server to make it appear that the messages originated from the other system.


• Block lists cannot completely prevent unsolicited e-mail messages because people who send this type of e-mail message use a variety of tactics to evade block lists, such as spoofing (or forging), subject headers, or using third-party servers to send the mail.

Important: Even though RBLs can significantly reduce the number of unsolicited commercial e-mail messages from entering your organization, it can also negatively impact the performance of your SMTP servers because they must query the RBL provider for each SMTP connection.

The Connection Filtering Process Using RBLs Following are the steps in the connection filtering process using RBLs:

1. When you configure an IP Block List provider, the Connection Filter agent on the Edge Transport server examines the IP address for each incoming SMTP connection attempt.

2. The Connection Filter agent uses a DNS query to contact the block list provider.

3. The provider checks for the existence of a host record in the DNS database. The Connection Filtering agent queries for this information in a specific format. For example, if the connecting IP address is 192.168.5.1 and the block list provider is RBL.msft, Exchange queries for the existence of the following record:

1.5.168.192.RBL.msft IN A 127.0.0.x

4. The block list provider issues one of two responses:

Responses Description

127.0.0.x status code. This response indicates that the IP address was on the block list, and it also lists the type of offense, such as known source of unsolicited e-mail or known relay server. Depending on the Exchange server configuration and the return code, the Connection Filtering agent may drop the SMTP connection attempt.

Host not found. This response indicates that the IP address was not on the block list. The Connection Filtering agent will then accept the SMTP connection.

Note: Block list providers may use a variety of return codes. Many of them use a return code of 127.0.0.x, where x may have several different values, each indicating a different reason for why the SMTP address is listed on the RBL.


Block List Exceptions You can configure exceptions to connection filter rules. You can choose to allow e-mail messages to be delivered to specific recipients regardless of whether the SMTP server is on a block list. For example, a legitimate company may be blocked from sending e-mail messages to your company because they have inadvertently configured open relaying. If an exception is configured for an e-mail recipient and a match is found, Exchange Server will accept e-mail messages from the SMTP address.

Note: Block list exceptions are based on recipient SMTP addresses. You also can bypass the block list for a specific IP address by adding the address to an IP Allow list.


Demonstration: How to Configure Sender and Recipient Filtering

Another spam filtering option is to use sender and recipient filtering. Your instructor will demonstrate how to use this spam filtering alternative.

Discussion Questions After the instructor completes the demonstration, answer the following questions:

Q: Under what circumstances would you use sender filtering?

A: Use sender filtering to block these messages:

• Sent from a specific user or specific domain. • If spam messages are coming from a specific user or specific domain and the other

spam filters are not blocking the messages.

Q: Under what circumstances would you use recipient filtering?

A: Use recipient filtering to prevent:

• Specific recipients from receiving Internet e-mail messages. • Distribution groups from receiving Internet e-mail messages.


Q: What are the benefits and disadvantages of using these filtering types?

A: The primary benefit is that it provides one more tool to block spam. For example, using recipient filtering to block all Internet e-mail for a specific user or group may be very useful.

The primary disadvantage is that it is a manual process to manage these lists. Spam writers use many different e-mail addresses and domains when sending spam. It will require considerable administrative effort to maintain a current block list.

Note: You can see a detailed list of this module’s demonstration steps on the Student Material compact disk. Please refer to the demonstration steps after class or during the lab if needed.


How Sender ID Filtering Works

The Sender ID Framework is an industry standard that verifies that each e-mail message originates from an SMTP server authorized to send messages for a specific Internet domain. The Sender ID Framework provides the standards that are used in Sender ID filtering. The Sender ID Framework provides protection against e-mail domain spoofing and against phishing schemes. By using the Sender ID Framework, e-mail senders can register all e-mail servers that will send messages from their SMTP domain. E-mail recipients then can filter domain messages that do not come from the specified servers.

Sender Policy Framework (SPF) records To enable Sender ID filtering, each e-mail sender must create a sender policy framework (SPF) record and add it to the DNS records of the e-mail sender’s domain. The SPF record is a single TXT record in the DNS database that identifies each domain’s e-mail servers.


SPF records can use several formats. Two are shown in the table below:

Format Description

Adatum.com. IN TXT “v=spf1 mx -all” Indicates that any server identified by an MX record for the adatum.com domain is allowed to send e-mail for that domain.

Mail IN TXT “v=spf1 a -all” Indicates that the host Mail is allowed to send mail.

Adatum.com IN TXT “v=spf1 ip4:10.10.0.20 –all” Indicates that a server with the IP address 10.10.0.20 is allowed to send mail for the adatum.com domain.

For more information: Microsoft provides a wizard to create the SPF records for your organization. The wizard is accessible on the Sender ID Framework Record Wizard page on the Microsoft Web site.

Sender ID Configuration Sender ID filtering in Exchange Server 2007 can be implemented on Hub Transport and Edge Transport servers. Because Sender ID filtering requires that the receiving SMTP server receive the messages directly from the sending SMTP server, you can implement Sender ID filtering only on the SMTP server that accepts Internet messages directly.

You can configure the following settings for Sender ID from the Exchange Management Console:

Settings Description

Reject Message. Choose this option if you want the Sender ID filter to reject the mail on the SMTP protocol level and issue a non-delivery report (NDR) message. Specifically, Sender ID will prompt Exchange Server to send a 550 5.7.1 NDR message to the sending SMTP server.

Delete Message. Choose this option if you want the Sender ID filter to accept the mail, and then delete it without sending the non-delivery report (NDR) to the user.

Stamp message with Sender ID result and continue processing.

Choose this option if you want the Sender ID filter to stamp the validation results to the message. This is the default option. The Sender ID result is added to the header of the message, and then processed by the Content Filter agent to assign a spam confidence level score.


How Sender ID Filtering Works The following steps show at a high-level how Server ID filtering works:

1. The message is sent to the recipient organization.

2. The recipient SMTP gateway server queries DNS for the SPF record.

3. If the SPF record matches the sending SMTP server, the SMTP gateway server forwards the message.

4. If the SPF record does not match, the SMTP gateway server may drop the message or forward it with additional header information.


How Content Filtering Works

Content filtering is a valuable means to reduce the spam sent to user mailboxes. By configuring content filtering, you can block or quarantine spam based on the actual message contents, regardless from which SMTP server the message is coming.

What Is Content Filtering? The Content Filter agent uses the SmartScreen Content Filter (SSCF) to analyze the content of every e-mail message to evaluate whether the message is spam. SSCF is an intelligent spam-filtering solution based on Microsoft research’s patented computer-learning technology. By evaluating millions of e-mail messages, SmartScreen technology learns how to distinguish between legitimate e-mail messages and spam, and also detects phishing URLs embedded in e-mail messages.

When a message is sent to the Edge Transport server, the Content Filter agent evaluates the message contents for recognizable patterns, and assigns a rating based on the probability that the message is spam. This rating is attached to the message as a property called a spam confidence level (SCL). The SCL rating is a numerical value between 0 and 9. A rating of 0 indicates that the message is highly unlikely to be spam, whereas a rating of 9 indicates that the message is very likely to be spam. This rating persists with the message when it is sent to other servers running Exchange Server.

Depending on how the content filter is configured, the message is either rejected, silently deleted, or quarantined if the message’s SCL score is greater than or equal to the configured threshold.


Content Filtering Configuration Content filtering is enabled by default on Exchange Server 2007 Edge Transport servers and is configured to reject all messages with an SCL higher than seven. You can modify the default Content Filtering settings by using either the Exchange Management Console or the Exchange Management Shell. You can configure content filtering to:

• Block or allow messages based on custom words. You can specify a list of key words or phrases to prevent blocking of a message containing those words. This feature is useful if your organization must receive e-mail that contains words that would normally be blocked. Additionally, you can specify key words or phrases that will cause the Content Filter agent to block a message.

• Allow exceptions. You can configure exceptions so that messages to recipients on the exceptions list are excluded from content filtering.

• Specify actions. You can configure the SCL thresholds and threshold actions. You can configure the Content Filter agent to delete, reject, or quarantine messages with an SCL higher than a specified value.

Note: When the Content Filter agent rejects a message, it uses the default response of 550 5.7.1 Message rejected due to content restrictions. Customize this message using the Set-ContentFilterConfig command in the Exchange Management Shell.

Configuring the Quarantine Mailbox When the SCL value for a specific message exceeds the SCL quarantine threshold, the Content Filter agent sends the message to a quarantine mailbox. Before you can configure this option on the Edge Transport server, you must configure a mailbox as the quarantine mailbox by using the Set-ContentFilterConfig –QuarantineMailbox command. As a messaging administrator, you should regularly check the quarantine mailbox to ensure that the content filter is not filtering legitimate e-mail messages.

Note: Messages are sent to the quarantine mailbox only when the SCL threshold exceeds the configured value on the content filter. The Get-AgentLog command produces a raw listing of all actions performed by transport agents. To see details on all actions that transport agents perform on an Edge Server, use the scripts located in the C:\Program Files\Microsoft\Exchange Server\Scripts folder. The folder contains several scripts that produce formatted reports listing information such as the top blocked sender domains, the top blocked senders, and the top blocked recipients. By default, the transport agent logs are located at C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog.


How Sender Reputation Filtering Works

Most spam filtering options are static configurations that do not change frequently. You should know that Sender reputation filtering, in contrast, is a dynamic list that is created by the Exchange Server based on real-time data about messages sent from a specific sender.

What Is Sender Reputation Filtering? The sender reputation feature in Exchange Server 2007 makes message filtering decisions based on information about recent e-mail messages received from specific senders. The Sender Reputation agent analyzes various statistics about the sender and the e-mail message to create a sender reputation level (SRL). This SRL is a number between zero and nine, where a value of zero indicates there is less than a 1 percent chance that the sender is a spam writer and a value of nine indicates there is more than a 99 percent chance that the sender is a spam writer. If a sender appears to be the spam source, the IP address for the SMTP server sending the message can be added automatically to the blocked list.


How Sender Reputation Filtering Works When the Edge Transport server receives the first message from a specific sender, the SMTP sender is assigned an SRL of 0. As more messages arrive from the same source, the Sender Reputation agent evaluates the messages and begins to adjust the sender’s rating of the sender. The Sender Reputation agent uses the following criteria to evaluate each sender:

• Sender open proxy test. An open proxy is a proxy server that accepts connection any SMTP server requests from any SMTP server and forwards messages as if they originated from the local host. This is also known as an open relay server. When the Sender Reputation agent calculates an SRL, it formats an SMTP request to en able connection back to the Edge Transport server from the open proxy. If an SMTP request is received from the proxy, the Sender Reputation agent verifies that the proxy is an open proxy and updates that sender’s open proxy test statistic.

• HELO/EHLO analysis. The HELO and EHLO SMTP commands are intended to provide the domain name, such as contoso.com, or IP address of the sending SMTP server to the receiving SMTP server. Spam writers frequently modify the HELO/EHLO statement to use an IP address that does not match the IP address from which the connection originated or to use a domain name that is different from the actual originating domain name. If the same sender uses multiple domain names or IP addresses in the HELO or EHLO commands, there is an increased chance that the sender is a spam writer.

• Reverse DNS lookup. The Sender Reputation agent also verifies that the originating sender’s IP address matches the registered domain name that the sender submits in the HELO or EHLO SMTP command. The Sender Reputation agent performs a reverse DNS query by submitting the originating IP address to DNS. If the domain names do not match, the sender is more likely to be a spam writer and the overall SRL rating for the sender is adjusted upward.

• Analysis of SCL ratings on messages from a particular sender. When the Content Filter agent processes a message, it assigns an SCL rating to the message. The Sender Reputation agent analyzes data about each sender’s SCL ratings. This info is used when calculating the SRL rating.

The Sender Reputation agent calculates the SRL for each unique sender over a period of time. When the SRL rating exceeds the configured limit, the IP address of the sending SMTP server is added to the IP Block list for a period of time.

Sender Reputation Configuration You can configure the sender reputation settings on the Edge Transport server. By using the Exchange Management Console, you can configure the sender-reputation block threshold and configure how long a sender remains on the IP Block list. By default, IP addresses remain on the Block list for 24 hours.


How Safelist Aggregation Works

Messaging administrators configure most spam filters on Exchange servers. However, users are often the best judges about whether a specific message is spam. If a user adds approved senders to their Safe Senders list, you should know that the Exchange server can use that information to ensure that messages from approved senders are not blocked.

What Is Safelist Aggregation? Safelist aggregation refers to anti-spam functionality that is shared across Microsoft Office Outlook and Microsoft Exchange. As users receive e-mail messages, they can add the message sender to a Safe Senders List or a Blocked Senders List. Based on this list, Outlook can deliver messages to the user Inbox or to the Junk E-Mail folder. When you enable safelist aggregation, the Safe Senders List that users have configured in Outlook is replicated to the Exchange server where it is used by the anti-spam agents on the Edge Transport server. Safelist aggregation can help reduce false positives in anti-spam filtering, and also provides users with more control over how their messages are filtered.

How Safelist Aggregation Works The safelist collection is stored on the user's Mailbox server. The user configures the safelist collection by adding contacts to the Safe Recipients Lists or Safe Senders Lists in Office Outlook or through Microsoft Outlook Web Access. A user can have up to 1,024 unique entries in a safelist collection.


The safelist collection is stored on the user's mailbox, but you can replicate this information into the Active Directory® directory service, where the safelist collection is then stored on each user object. If you have EdgeSync enabled, the safelist collection is replicated to the Edge Transport server during edge synchronization. The Content Filter agent on the Edge Transport server can access each recipient’s safelist collection. If a contact is listed in a user's safelist, the Content Filter agent accepts the message and forwards it to the mailbox server without applying any spam filtering.

Implementing Safelist Aggregation To implement safelist aggregation, you must run the Update-SafeList command for each mailbox on the Mailbox servers. When you run this command, Exchange reads the safelist collection from the Outlook user mailbox, hashes each entry, sorts the entries for easy search, and then converts the hash to a binary attribute. If the safelist collection is unchanged, no updates occur to the value in Active Directory. If the safelist collection has changed, the command updates the safelist aggregation value in Active Directory.

Important: If you have a large number of mailboxes in your organization, you will create a significant amount of Active Directory replication traffic the first time you run the Update-SafeList command. You should run this command for the first time during nonbusiness hours.

The Update-SafeList command updates two attributes on each user object:

• msExchSafeRecipientsHash. Stores the hash of each user’s Safe Recipients List collection.

• msExchSafeSendersHash. Stores the hash of each user’s Safe Senders List collection.

If a hexadecimal string is present on the attribute, the user object is updated. If the attribute has a value of <Not Set>, the attribute is not updated. You can view these attributes by using ADSIEdit.msc for Active Directory and Active Directory Application Mode (ADAM) Active Directory Service Interfaces (ADSI) Edit on the Edge Transport server.

Best Practice: After the initial aggregation, you should schedule the Update-SafeList command to run on a regular basis. You can use the Microsoft Windows Server® At command to schedule this command.


How Exchange Server 2007 Applies Spam Filters

It is important for you to know that Exchange Server 2007 provides several different ways to protect organizations from spam. The different filters are applied in a specific order on the Edge Transport servers.

Exchange Server 2007 Spam-Filtering Process The Edge Transport server role in Exchange Server 2007 uses spam-filtering agents to examine each SMTP connection and the messages sent through it. When an SMTP server on the Internet connects to the Edge Transport server and initiates an SMTP session, the Edge Transport server examines each message using the following sequence:

1. When the SMTP session is initiated, the Edge Transport server applies connection filtering by using the following criteria:

• Connection filtering examines the administrator-defined IP Allow list. Administrators may include the IP addresses for SMTP servers at partner organizations in the IP Allow list. If an IP address is on the administrator-defined IP Allow list, no other filtering is applied and the message is accepted.


• Connection filtering examines the local IP Block list. Administrators may include the IP addresses for the SMTP servers of known spam writers, or other servers from which the organization does not want to receive e-mail in the IP Allow list. If the IP address of the sending server is found on the local IP Block list, the message is rejected automatically and no other filters are applied.

• Connection filtering examines the RBL of any IP Block list providers that you have configured. If the sending server’s IP address is found on an RBL, the message is rejected, and no other filters are applied.

2. The Edge Transport server compares the sender’s e-mail address with the list of senders configured in sender filtering. If the SMTP address is a blocked recipient or domain, the server may reject the connection and no other filters are applied. Additionally, you can configure the server to accept the message from the blocked sender, but stamp the message with the blocked sender information and continue processing. The blocked sender information is included as one of the criteria when content filtering processes the message.

3. The Edge Transport server examines the recipient against the Recipient Block list configured in recipient filtering. If EdgeSync is enabled, the Edge Transport server can use the information about recipient filtering from Active Directory. If the intended recipient matches a filtered e-mail address, the Edge Transport server rejects the message for that particular recipient. If multiple recipients are listed on the message and some are not on the Recipient Block list, further processing is done on the message.

4. Exchange Server 2007 applies Sender ID filtering. Depending on how the Sender ID is configured, the message might be deleted, rejected, or accepted. If the message is accepted, the Sender ID validation failure is added to the message properties. The failed Sender ID status will be included as one of the criteria when content filtering processes the message.

5. The Edge Transport server applies content filtering and performs one of the following actions:

• Content filtering compares the sender to the senders in the safelist aggregation data from Office Outlook users. If the sender is on the recipient’s Safe Senders List, the message is sent to the user’s mailbox store. If the sender is not on the recipient’s Safe Senders List, the message is assigned a spam confidence level (SCL) rating.


• If the SCL rating is higher than one of the configured Edge Transport server thresholds, content filtering takes the appropriate action of deleting, rejecting, or quarantining the message.

• If the SCL rating is lower than one of the Edge Transport server thresholds, the message is passed to a Hub Transport server for distribution to the Exchange Mailbox server that contains the user’s mailbox.

Tip: You can bypass all spam filtering for a specific recipient by setting the AntispamBypassEnabled property on the user’s mailbox. When you set it to True, all the filtering is bypassed and the message is delivered directly to the recipient’s mailbox. To configure this setting, use the Set-Mailbox –Identity mailboxname -AntispamBypassEnabled $true command.


Practice: Implementing Anti-Spam Features

Goal The goal of this practice is for you to configure anti-spam settings on the Edge Transport server. Begin by configuring connection filters, including IP Block List providers and IP Allow lists. Then, configure Sender ID and sender reputation filtering. Also, configure content filtering and safelist aggregation.

Preparation Ensure that the 5049A-CAI-DC1, 5049A-CAI-Edge1, and 5049A-CAI-SRV1 virtual machines are running. Log on to the computers as Administrator with the password Pa$$w0rd.

Complete the following steps to implement an Edge Subscription between the Hub Transport server and the Edge Transport server.

1. On CAI-Edge1, click Start, point to All Programs, Microsoft Exchange Server 2007, and then click Exchange Management Shell.

2. At the prompt type the following and then press ENTER: D:\Mod01\Labfiles\EdgeScript.ps1 Press ENTER at the confirmation.

3. At the prompt type the following and then press ENTER: D:\Mod01\Labfiles\CopyEdgeScript.cmd

4. Close the Exchange Management Shell.


5. On CAI-DC1, click Start, point to All Programs, Microsoft Exchange Server 2007, and then click Exchange Management Shell.

6. At the prompt type the following and then press ENTER: C:\ImportEdgeSub.ps1

7. At the prompt type the following and then press ENTER: Start-EdgeSynchronization


Introduction In this practice, you will:

• Configure connection filtering. • Configure a Real-Time Block List provider. • Configure Sender ID filtering. • Configure content filtering. • Configure safelist aggregation. • Test the anti-spam filters.

Configuring Connection Filtering Perform the following steps to configure connection filtering:

1. On CAI-DC1, open the Exchange Management Console.

2. In the Exchange Management Console, expand Recipient Configuration, and then click Mailbox.

3. In the result pane, double-click Administrator. On the E-mail Addresses tab, click Add.

4. Create a new e-mail address called [email protected] for the Administrator account, and then click OK twice.

5. On the Start menu, point to Administrative Tools, and then click DNS.

6. Right-click Forward Lookup Zones, and then click New Zone.

7. On the Welcome to the New Zone Wizard page, click Next.

8. On the Zone Type page, ensure that Primary Zone is selected. Clear the Store the zone in Active Directory (available only if DNS server is a domain controller) check box, and then click Next.

9. On the Zone Name page, type rbl.msft and then click Next.

10. On the Zone File page, click Next.

11. On the Dynamic Update page, click Next.


12. On the Completing the New Zone Wizard page, click Finish.

13. Expand Forward Lookup Zones, and then click rbl.msft.

14. Right-click rbl.msft, and then click New Host(A).

15. In the New Host dialog box, type 11.0.10.10 as the Name and 127.0.0.1 as the IP address.

Note: In this example, you will be using CAI-SRV1 (IP address 10.10.0.11) as the spam SMTP server. When the Exchange server receives a connection attempt from this IP address, it will look up the IP address in DNS. The DNS server will return 127.0.0.1 as the IP address for this host. This may take a few minutes.

16. Click Add Host, click OK, and then click Done. Close the DNS management console.

17. On CAI-Edge1, open the Exchange Management Console.

18. In the Exchange Management Console, click Edge Transport.

19. On the Anti-spam tab, right-click IP Block List Providers, and then click Properties.

20. On the Providers tab, click Add.

21. In the Add IP Block Provider dialog box, in the Provider name box, type Blocklist Provider and in the Lookup domain field, type RBL.msft

22. Under Return status codes, select the Match specific mask and responses option, and then under Match to the following mask, type 127.0.0.1

23. Click OK to close the Add IP Block List Provider dialog box.

24. On the Exceptions tab, in the Do not block messages sent to the following e-mail addresses, regardless of provider feedback box, type [email protected] click Add, and then click OK.

25. On CAI-SRV1, open Microsoft Outlook Express.

26. Create a new message with a recipient address of [email protected] and a subject of Connection Filter Test message. Send the message.

27. Wait a few seconds, and then click Send/Recv. Confirm that you get a non-delivery report.

28. Create a new message with a recipient address of [email protected] and a subject of Connection Filter Test 2 message. Send the message.

29. Click Send/Recv, and then confirm that you do not get a non-delivery report.

30. On CAI-Edge1, in the Exchange Management Console, double-click IP Allow List.


31. On the Allowed Addresses tab, click Add. In the Add Allowed IP Address- CIDR dialog box, type 10.10.0.11 and then click OK twice.

32. On CAI-SRV1, send another message to [email protected]. Confirm that you do not receive a non-delivery report.

Configuring Sender ID and Sender Reputation Filters Perform the following steps to configure Sender ID and sender reputation filters:

1. On CAI-DC1, open the DNS management console.

2. Expand Forward Lookup Zones, and then click Contoso.com.

3. Right-click Contoso.com and then click Other New Records.

4. In the Resource Record Type dialog box, click Text (TXT), and then click Create Record.

5. In the New Resource Record dialog box, in the Text box, type v=spf1 ip4:10.10.0.40 –all and then click OK. This record configures the Sender ID filter to accept connections only from 10.10.0.40 for the Contoso.com domain.

6. In the Resource Record Type dialog box, click Done.

7. On CAI-Edge1, in Exchange Management Console, on the Anti-spam tab, right-click Sender ID, and then click Properties.

8. In the Sender ID Properties dialog box, on the Action tab, click Reject Message, and then click OK.

9. On the Anti-spam tab, double-click IP Allow List. On the Allowed Addresses tab, delete the 10.10.0.11 address. Click OK.

10. On the Anti-spam tab, double-click IP Block List Providers. On the Providers tab, delete Blocklist Provider. Click OK.

11. Open the Exchange Management Shell and type stop-service msexchangetransport and then press ENTER.

12. Type start-service msexchangetransport and then press ENTER. Wait for the service to start.

13. On CAI-SRV1, if necessary, open Outlook Express.

14. Create a new message with a recipient address of [email protected] and a subject of Sender ID Filter Test message. Send the message.

15. Click Send/Recv. Open the message from the postmaster and confirm that the message was not delivered. If the message from the postmaster does not appear, click Send/Recv again.


16. On CAI-DC1, in the DNS management console, modify the Text (TXT) to read v=spf1 ip4:10.10.0.11 –all, and then click OK.

17. On CAI-Edge1, if necessary, open the Exchange Management Shell.

18. In the Exchange Management Shell, type stop-service msexchangetransport and then press ENTER.

19. Type start-service msexchangetransport and then press ENTER. Wait for the service to start.

20. On CAI-SRV1, in Outlook Express, create a new message with a recipient address of [email protected] and a subject of Sender ID Filter Test 2 message. Send the message.

21. On CAI-DC1, open Internet Explorer and connect to https://CAI-DC1/owa.

22. Log on to Office Outlook Web Access as adatum\Beth using Pa$$w0rd as the password. At the Microsoft Office Outlook Web Access page, click OK, and then confirm that the second Sender ID test message arrived. Leave Internet Explorer open.

23. On CAI-Edge1, in the Exchange Management Console, on the Anti-spam tab, right-click Sender Reputation, and then click Properties.

24. On the Action tab, move the slider two stops to the left, and then click OK.

Configuring Content Filtering Perform the following steps to configure content filtering:

1. On CAI-Edge1, in the Exchange Management Shell, type Set-ContentFilterConfig –QuarantineMailbox [email protected] and then press ENTER.

2. On CAI-Edge1, in the Exchange Management Console, on the Anti-spam tab, right-click Content Filtering, and then click Properties.

3. On the Custom Words tab, in the Messages containing these words or phrases will not be blocked box, type Mortgage and then click Add.

4. In the Messages containing these words or phrases will be blocked, unless the message contains a word or phrase from the list above box, type Poker and then click Add.

5. On the Exceptions tab, in the Do not filter content in messages addressed to the following recipients box, type [email protected] and then click Add.

6. On the Action tab, select the Quarantine messages that have a SCL rating greater than or equal to check box, and then set the value to 5. Click OK.


7. On CAI-SRV1, in Outlook Express, send the following messages:

• Recipient: [email protected] Subject: Mortgage.

• Recipient: [email protected] Subject: Poker.

• Recipient: [email protected] Subject: Diploma.

• Recipient: [email protected] Subject: Poker.

8. On CAI-DC1, in Internet Explorer, logged on as Beth Gilchrist, confirm that Beth received the message with a subject of Mortgage.

9. Open a new instance of Internet Explorer, connect to https://CAI-DC1/owa. Log on as adatum\Quarantine using the password Pa$$w0rd. On the Microsoft Office Outlook Web Access page, click OK. Confirm that the message with the subject Diploma has been quarantined.

10. Open a new instance of Internet Explorer, connect to https://CAI-DC1/owa. Log on as adatum\Katie using Pa$$w0rd as the password. On the Microsoft Office Outlook Web Access page, click OK. Confirm that the message with the subject Poker was sent to the mailbox.

11. On CAI-Edge1, in the Exchange Management Shell, type Get-AgentLog and then press ENTER. Confirm that all messages that the transport agents accepted and blocked are in the agent log.

Configuring Safelist Aggregation Perform the following steps to configure safelist aggregation:

1. On CAI-DC1, in Outlook Web Access window where you are logged on as Katie Jordan, click the Options button.

2. In the navigation pane, click Junk E-Mail.

3. In the Junk E-Mail details pane, click the option next to Automatically filter junk e-mail.

4. Click Save and then in the navigation pane, click Mail.

5. Right-click the message from Carol, point to Junk E-mail, and then click Add Sender to Safe Senders List. Click OK twice.

6. On CAI-DC1, open the Exchange Management Shell.

7. In the Exchange Management Shell, at the prompt, type Get-Mailbox | Update-SafeList and then press ENTER.

8. At the prompt, type Start-EdgeSynchronization and then press ENTER.

9. On CAI-DC1, click Start, and then click Run. In the Open text box, type ADSIEdit.msc and then press ENTER.


10. Expand Domain [CAI-DC1.Adatum.com], expand DC=Adatum,DC=com, expand OU=Finance. Right-click CN=Katie Jordan, and then click Properties.

11. In the CN=Katie Jordan Properties dialog box, select the Show only attributes that have values check box. Under Attribute, locate msExchSafeSendersHash and ensure that the Value column displays a hexadecimal value. Click OK, and then close ADSI Edit.

12. On CAI-DC1, click Start, and then click Run. In the Open text box, type Notepad and then press ENTER.

13. In Notepad, type "C:\Windows\system32\windowspowershell\v1.0\powershell.exe" -psconsolefile "C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command "Get-Mailbox | Update-SafeList"

14. Save the file as C:\SafeList.bat. Be sure to change the Save as type list option to All Files.

15. On CAI-DC1, in the Exchange Management Shell, type AT 23:00 /every:M,T,W,Th,R,S,Su cmd /c "C:\SafeList.bat" and then press then ENTER. This command schedules the SafeList.bat file to run every day at 23:00 (11:00 P.M.).

To prepare for the lab 1. On the host computer, click Start, point to All Programs, point to Microsoft

Virtual Server, and then click Virtual Server Administration Website.

2. Under Navigation, click Master Status. For each virtual machine that is running, click the Virtual Machine Name. In the context menu, click Turn off Virtual Machine and Discard Undo Disks. Click OK.

3. Start the 5049A-CAI-DC1, 5049A-CAI-SRV1, and 5047A-CAI-Edge1 virtual machines.

Discussion Questions Answer the following questions after you complete the practice.

Q: Which of these anti-spam settings would you configure in your organization?

A: Answers will vary. Almost all organizations have implemented features, such as real-time block lists and some type of content filtering.

Q: Do different mailboxes in your organization need different anti-spam settings? How could you configure these settings?

A: Answers will vary. Options include configuring specific mailboxes, such as general information mailboxes that are exempt from all spam filtering, and blocking all Internet messages to specific mailboxes.


Lesson 3: Implementing Antivirus Features

A second critical component to protecting the messaging organization is to ensure that as many viruses as possible are blocked at the edge of the Internet and are not allowed into the organization. Exchange Server 2007 integrates with anti-virus products to provide this protection.


• Describe requirements in an antivirus solution. • Explain how Exchange Server 2007 integrates with antivirus software • Configure the attachment filtering settings on an Edge Transport server. • Explain what Microsoft® Forefront™ Security for Exchange Server is. • Explain the most important things to think about when implementing antivirus

features.


Discussion: Requirements for an Antivirus Solution

There are numerous antivirus solutions available for messaging administrators. As you choose your organization’s appropriate solution, there are several factors to consider.


Q: How can a virus get into your messaging environment?

A: Answers should include:

• E-mail, as attachments, encrypted attachments, or graphics. • Messenger-type applications. • Downloaded files from Web sites. • Removable media.


Q: What antivirus solution do you use? What features do you look for in an antivirus solution?

A: Answers for the first question will vary. Possible answers for the second question include:

• Effective automatic updating for both servers and clients. • Effective alert features for informing administrators of potential virus outbreaks. • Quarantine options with easy administrator access to the quarantined messages.

Q: How many times will an e-mail message be scanned for viruses when it enters your messaging environment?

A: Answers will vary. In many organizations, e-mail messages may be scanned up to three times: at the SMTP gateway server, at the Mailbox server, and at the client.


How Exchange Server 2007 Integrates with Antivirus Software

Exchange Server 2007 does not include built-in antivirus software. However, it does provide several options for integrating with existing antivirus software. As a messaging administrator, you should know about these options.

Exchange Server 2007 Antivirus Features Viruses often spread between organizations via e-mail. By stopping all messages that contain viruses at your messaging environment’s perimeter, you can better protect your organization. If infected messages get into the organization, it is important that the virus is detected as soon as possible. To achieve this goal, Exchange Server 2007 includes the following virus protection improvements:

• Continued support of the Virus Scanning API (VSAPI). In Exchange Server 2007, Microsoft has maintained support for the same VSAPI used in Exchange Server 2003. This VSAPI will be used by any antivirus software that runs on Mailbox servers.

• Use of transport agents to filter and scan messages. Exchange Server 2007 introduces the concept of transport agents, such as the attachment filtering agent, to reduce spam and viruses. By running attachment filtering on the Edge Transport or Hub Transport servers, you can reduce the spread of malware attachments before they enter the organization. Additionally, third-party vendors can create transport agents that perform virus scans. Because all messages must be passed through a Hub Transport server, this is an efficient and effective means to scan all messages in transit inside the organization.


• Use of antivirus stamping. Antivirus stamping reduces how often a message is scanned as it moves through an organization. After a message has been scanned once, the message is stamped with information that specifies the version of the antivirus software that performed the scan and the results of the scan. This antivirus stamp travels with the message as it is routed through the organization, and also is used to determine whether additional virus scanning must be performed on a message.

Important: Many viruses that enter the organization through e-mail have characteristics similar to spam messages. Implementing a comprehensive spam-filtering solution will significantly reduce the risk of a virus entering your organization.


Demonstration: How to Configure Attachment Filtering

When you implement an Edge Transport server, it blocks specific types of attachments by default. You can disable any attachment blocking on the Edge Transport server or modify which types of attachments are blocked.

Scenario In this scenario, your instructor will change the attachment blocking settings so that the messages containing invalid attachments are blocked. The default action is to strip the attachment. Depending upon your requirements, you might choose to block or strip messages that contain invalid extensions to protect your organization from attachments containing viruses.

Your instructor will also add the .ppt file extension to the blocked attachment list. By adding this extension, all .ppt file attachments are blocked by the Edge Transport server.


Discussion Questions After completing the practice, answer the following questions:

Q: Under what circumstances would you modify the default attachment filtering settings?

A: You would modify the default attachment filtering settings in these circumstances:

• Disable the attachment filtering agent to not block any attachments at the Edge Transport server. The default settings are similar to the default settings in Outlook 2007 or Outlook 2003, and you may choose to block them at the client level.

• Modify the default list of files that will be blocked.

Q: What are the benefits of using attachment filtering?

A: Attachment filtering is an easy way to block potentially dangerous attachments at the Internet edge, before they can reach the network. At a minimum, you may want to block all attachments that contain executable content at the Internet edge. By blocking by attachment types, you can also rapidly respond to a virus outbreak that uses attachments with a specific extension.


What Is Forefront Security for Exchange Server?

One of the options for implementing an antivirus solution is to deploy Microsoft Forefront Security for Exchange Server. Forefront Security for Exchange Server is an antivirus solution from Microsoft that integrates with Exchange Server 2007. Forefront Security for Exchange Server takes advantage of many of the new antivirus features available in Exchange Server 2007.

Forefront Security for Exchange Server Features Forefront Security for Exchange Server features include:

• Multiple antivirus scan engines. Messaging administrators face a critical issue with regards to how fast they can obtain updates to antivirus files to address a new virus when it hits. By using multiple engines, you can increase the chances that one of the engines updates in time to stop the new virus.

• Different agents for Edge Transport servers, Hub Transport servers, and Mailbox servers. On Edge Transport servers and Hub Transport servers, Forefront Security for Exchange Server uses an Exchange Server 2007 Transport agent to scan messages in transit. On Mailbox servers, it uses a new Forefront VSAPI.dll to scan the mailbox and public folder databases.


• Antivirus stamping. By default, e-mail scanned on an Edge Transport or Hub Transport servers are not get scanned again when routed or deposited into mailboxes. In addition, messages that have been scanned are not scanned again when a user accesses the message. You can still schedule regular full scans of all mailbox and public folder databases.

• Forefront Server Security Management Console. Centralizes management of remote installation, engine and signature updating, reporting, and alerts.

Forefront Security for Exchange Server System Requirements The following are the minimum server requirements for Forefront Security for Exchange Server:

• x64 architecture-based computer with one of the following: • Intel Xeon or Intel Pentium family processor that supports Intel Extended

Memory 64 Technology (Intel EM64T)

• AMD Opteron or AMD Athalon 64 processor that supports the AMD64 platform

• Microsoft Windows Server 2003 • Microsoft Exchange Server 2007 • 512 megabytes (MB) of available memory, with 1 gigabyte (GB) recommended • 300 MB of available disk space • Intel processor (1 gigahertz) or higher


Considerations for Implementing Antivirus Features

Viruses pose a significant danger to your organization. Preparing an antivirus strategy is an essential way to protect your messaging system against viruses. An effective antivirus strategy includes user education, limited use of administrator accounts, defense-in-depth deployment, and regularly updating antivirus software.

User Education Users often are the weakest link in any security solution. This may be particularly true when implementing an antivirus solution, as most viruses require some user action to be activated. As part of your user-education plan, you should:

• Instruct users not to open e-mail messages from unknown sources. Conduct training sessions for your users to help them identify messages that should not be opened and to introduce better practices for exchanging e-mail messages.

• Instruct users not to provide their company e-mail address to any Web site or public newsgroup. Certain Web sites are set up for harvesting e-mail addresses to build spam lists.

• Develop an effective means for warning users about new viruses and ensure that users know the proper procedures to follow should a new virus occur. Additionally, help users understand proper notification procedures to ensure that a hoax message does not fool them.


Avoid Logging on Using Administrator Accounts Most viruses do less damage when launched by users with limited permissions than when launched by administrators. Ensure that all users are not logging on to their computers with accounts that have administrator access. Administrators can use Remote Desktop or the Run As feature in Windows Server 2003 to perform administrative tasks.

Note: The Windows Vista™ operating system introduces a new feature called User Account Control that enables all users to be logged on as nonadministrators and prompts for an elevation in permissions when a process is started that requires administrator privileges.

Use a Defense-In-Depth Antivirus Software Implementation Your antivirus strategy should also include plans for installing antivirus software on client computers, servers, and SMTP gateways, such as the Edge Transport server. Viruses can be introduced into the network by several different means. By deploying a defense-in-depth solution, you increase the chances of stopping the virus before it enters the network and spreads.

Monitor Antivirus Software to Ensure That It is Current Because new computer viruses (or new strains of old viruses) are constantly created, one of the most important tasks when implementing an antivirus strategy is to ensure that your antivirus software is up to date. You should also provide automatic updates for every device you need to protect, including client computers, Exchange servers, and gateway servers.


Lab: Maintaining Antivirus and Anti-Spam Systems

After completing this lab, you will be able to:

• Review the results of the current spam filtering configuration. • Determine what changes should be made to the spam-filter configuration rules to

ensure that the spam filter settings meet the company’s messaging requirements. • Modify spam filter settings to meet the company’s messaging requirements.

Estimated time to complete this lab: 40 minutes

Lab Setup For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:

• Start the 5049A-CAI-DC1, 5049A-CAI-Edge1, and 5049A-CAI-SRV1 virtual machines, and then log on, using the following credentials: • User name: Administrator

• Password: Pa$$w0rd

• Domain: ADATUM

• Complete the following steps to implement an Edge Subscription between the Hub Transport server and the Edge Transport server. a. On CAI-Edge1, click Start, point to All Programs, Microsoft Exchange

Server 2007, and then click Exchange Management Shell.


b. At the prompt type the following and then press ENTER: D:\Mod01\Labfiles\EdgeScript.ps1 Press ENTER at the confirmation.

c. At the prompt type the following and then press ENTER: D:\Mod01\Labfiles\CopyEdgeScript.cmd

d. On CAI-DC1, click Start, point to All Programs, Microsoft Exchange Server 2007, and then click Exchange Management Shell.

e. At the prompt type the following and then press ENTER: C:\ImportEdgeSub.ps1

f. At the prompt type the following and then press ENTER: Start-EdgeSynchronization

g. Close the Exchange Management Shell.

• On CAI-Edge1, in the Exchange Management Shell, type d:\Mod01\Labfiles\Lab1_Prep1.ps1 and press ENTER. This command configures several spam filtering options on CAI-Edge1.

• On CAI-SRV1, open a command prompt. At the command prompt, type d:\Mod01\Labfiles\Lab1_Prep2.bat and press ENTER.

• Close the command prompt.

This script sends 11 e-mail messages listed in the following table from CAI-SRV1 to users in the A. Datum organization.

Recipient Sender Comments

[email protected] [email protected] Includes an attachment with a .doc extension.

[email protected] [email protected] Includes an attachment with a .zip extension.



[email protected] [email protected] Contains spam-like text.

[email protected] [email protected] Contains the term Poker in the subject and body.

[email protected] [email protected] Contains the term Degree.

[email protected] [email protected] Contains the terms Degree and Temperature.

[email protected] [email protected] Contains no filtered terms.

[email protected] [email protected] Contains the term Poker.

[email protected] [email protected] Includes an attachment with a .exe extension.


Lab Scenario You are a messaging administrator at A. Datum Corporation, a medical supply company based in Cairo, Egypt. The organization has had anti-spam filtering rules in place for two weeks, and you have received several complaints from users that some messages sent from outside the organization are not being delivered to their mailboxes. You need to review which messages anti-spam filters are blocking to ensure appropriate blockage.

After reviewing the messages that are being blocked, you will work with the messaging engineer to determine the appropriate changes to make to the spam and antivirus settings. You will then make the appropriate changes to the anti-spam filters and test the new settings to ensure that they are blocking only messages that should be stopped.

During the requirements gathering phase for the Exchange Server 2007 deployment, the project team identified the following spam filtering requirements:

• Any message with an attachment on the blocked attachment list should have the attachment stripped at the Edge Transport server, but the message should be forwarded to the user mailbox.

• Messages with a .zip attachment should be accepted. • All messages from the Tailspintoys.com domain should be rejected. The

tailspintoys.com domain has been identified as a source of many spam messages. Messages from all other domains on the Internet should be accepted.

• All messages containing the words Poker or Degree should be rejected. However, messages containing the terms Degree and Temperature should be accepted because A. Datum Corporation sells medical thermometers.

• All messages sent to [email protected] should be accepted without any content filtering.

• All messages with an SCL of more than six should be sent to the quarantine mailbox ([email protected]).

To complete this lab, you will need to:

• Review the contents of mailboxes on CAI-DC1 to determine if messages are being delivered correctly.

• Review the log files on CAI-Edge1 to determine if messages that should be allowed into the organization are being blocked at the Edge Transport server.

• Determine which messages are being blocked that should not be, or which messages are being accepted that should be blocked.

• Modify the anti-spam settings to reduce the number of incorrectly blocked messages. • Test the new anti-spam settings.


Exercise 1: Reviewing the Current Spam Filtering Results In this exercise, you will review the current spam filtering results.

Note: Use the table provided in Exercise 2 to document the spam filtering results. The Get-AgentLog cmdlet provides full details for each message that is recorded in the table.

Tasks Supporting information

1. On CAI-DC1, examine the messages that have been quarantined in the Quarantine mailbox.

• On CAI-DC1, open Internet Explorer and access the following URL: https://CAI-DC1/owa.

• Log on to Outlook Web Access as Adatum\Quarantine with the password of Pa$$w0rd.

• Document any messages in the mailbox.

2. On CAI-DC1, examine the messages that have been sent to the Info mailbox.


• Use Outlook Web Access to access the Adatum\Info mailbox with the password of Pa$$w0rd. Document any messages in the mailbox.

3. On CAI-DC1, examine the messages that have been sent to Beth Gilchrist’s mailbox.


• Use Outlook Web Access to access the Adatum\Beth mailbox with the password of Pa$$w0rd. Document any messages in the mailbox.

4. On CAI-Edge1, examine the messages that have been blocked by the transport agents on the Edge Transport server.

• On CAI-Edge1, view the transport agent log files. Use the Get-AgentLog cmdlet from the Exchange Management Shell.

Note: The answers to the labs are on the Student Materials CD.


Exercise 2: Discussion: Modifying the Spam Filtering Settings In this exercise, you will review the results of the current spam filters and determine which filter settings to modify.

Discussion Questions: Use your answers in the following table to answer these discussion questions:

Q: Which messages did the spam filters handle appropriately?

A: Answer in the following table.

Q: Which messages were not handled appropriately? What was wrong with how these messages were handled?

A: Answer in the following table.

Q: What steps will you must you take to correct the spam filtering configuration?

A: The following are the steps needed to correct the spam filtering configuration:

• Ensure that the attachment-filtering configuration is set so that attachments are stripped but the message is forwarded to the user mailbox. Zip attachments must be allowed through the filter.

• Change the sender filter so that only the Tailspintoys.com domain is blocked from sending messages.

• Change the content filter to include the term Poker on the blocked term list. • Change the recipient filter to remove [email protected]. Change the content filter to

bypass all content filtering for [email protected].


Use the following table to record the current spam filter results.

Message Message results Expected results

1 Delivered to Beth Gilchrist’s mailbox

2 Delivered to Beth Gilchrist’s mailbox with the zip attachment

3 Sender denied


5 Quarantine mailbox

6 Deleted by content filter

7 Deleted by content filter


9 Delivered to Info mailbox

10 Delivered to Info mailbox

11 Beth Gilchrist should get an e-mail message with the attachment stripped



Exercise 3: Modifying the Spam Filtering Settings In this exercise, you will use the results of the previous discussion to modify the spam filtering settings to meet company requirements.

Use the following table to record the modification tasks you performed.

Spam filter settings Spam filtering modifications

Attachment

Sender

Content

Recipient


To prepare for the next module 1. On the host computer, click Start, point to All Programs, point to Microsoft


2. Under Navigation, click Master Status. For each virtual machine that is running, click the Virtual Machine Name, and, in the context menu, click Turn off Virtual Machine and Discard Undo Disks. Click OK.

3. Start the 5049A-CAI-DC1, the 5049A-CAI-Edge1 and 5049A-CAI-SRV1 virtual machines.

Module 2: Configuring Edge Transport Servers


Lesson 1: Deploying Edge Transport Servers 2-2 Lesson 2: Configuring Internet Message

Delivery 2-24 Lesson 3: Configuring Security for Internet

E-Mail 2-34 Lab: Configuring Edge Transport Servers 2-52







Version 1.1

Module 2: Configuring Edge Transport Servers 2-1

Overview

The Edge Transport server role in Microsoft® Exchange Server 2007 provides the spam filtering functionality required to keep unwanted e-mail out of your organization. The Edge Transport server role also provides additional options for managing Internet e-mail delivery and for providing Internet e-mail security. This module is important because it describes how to deploy and configure Edge Transport servers.


• Deploy Edge Transport servers. • Configure Internet message delivery. • Configure security for Internet e-mail.

2-2 Module 2: Configuring Edge Transport Servers

Lesson 1: Deploying Edge Transport Servers

The Edge Transport server role is designed to be an SMTP gateway server that is located at the edge of an organizations network. All e-mail sent to the organization from the Internet, and all e-mail sent from the organization to the Internet, is routed through the Edge Transport server. This means that it is critical that the Edge Transport server be deployed as securely as possible. This module details on how to deploy the Edge Transport server role.


• Describe the infrastructure requirements for the Edge Transport server role. • Explain the process for implementing the Edge Transport server role. • Describe what ADAM is. • Describe what EdgeSync is. • Implement EdgeSync. • Describe what edge cloning is.


Infrastructure Requirements for the Edge Transport Server Role

The Edge Transport server role is different from any other Exchange Server 2007 server role, because it must installed on servers running the Microsoft Windows Server® 2003 operating system that are not members of an Active Directory® directory service domain. Because the Edge Transport server role is directly exposed to the Internet, this provides an extra level of security by not exposing internal domain information directly to the Internet.

Edge Transport Server Implementation Requirements When deploying Edge Transport servers, consider the following infrastructure requirements:

• The Edge Transport server role should be installed on stand-alone computers. The role can be installed on computers that are members of an Active Directory domain, but this configuration is not recommended.

• The computer running the Edge Transport server role must be configured with a fully qualified Domain Name System (DNS) name.

• Edge Transport servers should be deployed in a perimeter network. This configuration provides the highest level of security.

• Configure the internal and external firewalls to enable communication with the Hub Transport server. The firewall configuration required for Edge Transport servers is greatly simplified because the server is not a domain member. The following table describes the firewall configuration requirements.


Firewall Firewall rule Explanation

External Allow port 25 from all external IP addresses to the Edge Transport server.

Required for Simple Mail Transfer Protocol (SMTP) hosts on the Internet to send e-mail.

External Allow port 25 to all external IP addresses from the Edge Transport server.

Required for the Edge Transport server to send e-mail to SMTP hosts on the Internet.

External Allow port 53 to all external IP addresses from the Edge Transport server.

Required for the Edge Transport server to resolve DNS names on the Internet.

Internal Allow port 25 from the Edge Transport server to specified Hub Transport servers.

Required for the Edge Transport server to send inbound SMTP e-mail to Hub Transport servers.

Internal Allow port 25 from specified Hub Transport servers to the Edge Transport server.

Required for the Hub Transport servers to send e-mail to the Edge Transport server.

Internal Allow port 50636 Secure Lightweight Directory Access Protocol (LDAPS) from specified Hub Transport servers to the Edge Transport server.

Required for the Hub Transport server to replicate information to the Edge Transport servers using EdgeSync. This port is not the default LDAPS port, but it is used specifically for the EdgeSync process.

Internal Allow port 3389 for Remote Desktop Protocol (RDP) from the internal network to the Edge Transport server.

Required if you want to use Remote Desktop to remotely administer of the Edge Transport server.

Note: EdgeSync is a process for synchronizing some configuration and recipient information from the internal Active Directory forest to the Edge Transport server. EdgeSync will be detailed later in this lesson.

• If the Edge Transport server is directly routing e-mail to the Internet, the server must be configured with the IP addresses for DNS servers that can resolve DNS names on the Internet.

• The DNS zone information for your zone must include a mail exchanger (MX) resource record pointing to an IP address on the Edge Transport server that is accessible from the Internet. This is required to receive Internet e-mail.


Process for Implementing the Edge Transport Server Role

The actual installation of the Edge Transport server role is similar to the installation of any other Exchange Server 2007 server role. However, because of the unique Edge Transport server role features, you should know that there are some important additional steps to take to complete the deployment.

Implementing Edge Transport Servers A default installation of the Edge Transport server role includes the necessary tools and features necessary for this Exchange Server 2007 role. However, the default installation does not allow any message flow through the server. To complete the Edge Transport servers implementation, complete the following tasks:

• Secure the Edge Transport server. In most companies, Edge Transport servers are installed in a perimeter network. Servers installed in perimeter networks are more vulnerable to Internet attacks and should be secured at multiple levels. To secure the Edge Transport server, you need to ensure that the external firewall is configured to block all network traffic from reaching the Edge Transport server, with the exception of traffic through port 25. On the Edge Transport server, you should run the Security Configuration Wizard (SCW) to shut down services and block all ports that are not required.


Tip: The Exchange Server 2007 installation DVD includes an SCW configuration file named Exchange2007Edge.xml that is specific to Exchange Server 2007 Edge Transport servers. When you install Exchange Server 2007, this file is copied to the C:\Program Files\Microsoft\Exchange Server\Scripts folder. Before you can use this file in the SCW, you must register the file using the scwcmd register command.

• Create and configure SMTP connectors. By default, one Receive connector is created during the Edge Transport server role installation. This Receive connector is configured to accept SMTP communications from all IP address ranges and is bound to all IP addresses of the local server. It is configured to have the Internet usage type. Therefore, the connector accepts anonymous connections. To ensure that the Edge Transport servers can relay messages to and from the Internet, or to a secured partner organization, you must modify the configuration for both Send and Receive connectors.

Note: If you configure an Edge Subscription between a Hub Transport and an Edge Transport server, the SMTP connectors required for Internet e-mail delivery are configured automatically.

• Configure accepted domains. Add all SMTP domains that an Exchange Server organization hosts to the accepted domains list on the Edge Transport server. The Edge Transport server will reject all messages for recipients in domains that the list does not include.

Note: To add a domain to the Edge Transport server’s accepted domains list, use the Exchange Management Shell command New-AcceptedDomain domain_name or use the Exchange Management Console. If an Edge Subscription is configured, configure the accepted domains on a Hub Transport server and the EdgeSync process will synchronize domains automatically to the Edge Transport server.

• Create transport rules. Transport rules apply the messaging policies. You can use the Edge Transport Rules wizard to create transport rules that process messages as they enter the messaging environment. The Transport Rules agent on the Edge Transport server applies the rules.

• Configure administrative permissions. The Edge Transport server role is deployed on a stand-alone server, so you must administer the Edge Transport server by using local user accounts. When the Exchange Server 2007 Edge Transport server role is installed, no Exchange-specific groups are created. The local Administrators group is granted full control of the Edge Transport server, including the instance of ADAM on the Edge Transport server.


In most cases, you will perform remote administration of Edge Transport servers by using Remote Desktop. The local Administrators group is automatically granted remote logon permissions. If you want to assign administrative permissions to other accounts on the Edge Transport server, create a user account on the local computer, and then add the user account to the local Administrators group to ensure the correct access level is granted.


What Is ADAM?

The Edge Transport server cannot use Active Directory to store its configuration information because it is installed on a server that is not a member of an Active Directory domain. Instead, Edge Transport servers use ADAM.

What Is ADAM? ADAM is:

• A special mode of the Active Directory directory service designed to store information for directory-enabled applications.

• An LDAP-compatible directory service that runs on servers running Windows Server 2003.

• Designed to be a stand-alone directory service.

ADAM does not require the deployment of DNS, domains, or domain controllers. Instead, ADAM stores and replicates only application-related information.


How ADAM Works with Exchange Server 2007 Edge Transport Servers ADAM is used to store configuration and recipient data for the Exchange Server 2007 Edge Transport server role. ADAM is installed and configured automatically when you install the Edge Transport server role. It stores the following types of information:

Types of Information Description

Schema Similar to Active Directory, ADAM requires schema information that defines the types of objects and attributes that can be created. The version of ADAM installed on an Edge Transport server contains a schema that defines the Exchange Server-related information.

Configuration The configuration partition is similar to the configuration partition in Active Directory and provides a container to hold the Microsoft Exchange Services configuration information.

Recipient information Recipient information can be synchronized from Active Directory to ADAM. Recipient data that is synchronized from the Exchange Server organization is stored in the MSExchangeGateway organizational unit. Edge Transport servers use the recipient information when processing rules, such as recipient-filtering rules and transport rules.

Managing ADAM The ADAM database is stored in the Program Files\Microsoft\Exchange Server\ TransportRoles\data\Adam directory. The primary database is adamntds.dit, which is similar to the databases that Exchange Server uses for mailbox stores and mail queue databases.

In general, the ADAM instance running on an Edge Transport server requires little administration. Most changes to the ADAM directory information will be made by using the Exchange Server 2007 management tools.


What Is EdgeSync?

An advantage of using ADAM as the Edge Transport servers’ directory service is that internal Active Directory information is not stored on any computers in the perimeter network. However, in some cases, you may want to replicate some information to the Edge Transport servers. For example, by replicating recipient information to the Edge Transport server, you can configure recipient filtering rules on the Edge Transport server. Exchange Server 2007 uses EdgeSync to replicate some information from Active Directory to ADAM on the Edge Transport server.

What Is EdgeSync? EdgeSync is a process that replicates information from Active Directory to ADAM on Edge Transport servers.

You can deploy Edge Transport servers without using EdgeSync, but using EdgeSync can decrease the effort needed to administer the Edge Transport servers. Much of the configuration information required for the Edge Transport server is available in Active Directory. For example, if you configure accepted domains on the Hub Transport servers, these accepted domains can be replicated automatically to the Edge Transport servers.

Note: You must configure an accepted domain for all domains for which the Edge Transport server accepts inbound e-mail. For example, if you have a subsidiary with a different SMTP domain address in your internal organization, you must add the domain name to the accepted domains list.


To enable any filtering or transport rules that are based on recipients, you must implement EdgeSync to replicate the recipient information to ADAM.

What Information Is Replicated by EdgeSync? After the Edge Transport and Hub Transport servers are provisioned, the EdgeSync process establishes connections to the Edge Transport server and synchronizes configuration and recipient information between Active Directory and ADAM. After the initial replication, subsequent replication occurs at various intervals depending on the data type. By default, recipient information synchronizes every four hours, and configuration information synchronizes every hour.

Important: The internal Hub Transport servers, and not the Edge Transport servers, always initiate EdgeSync replication. EdgeSync replication traffic always is encrypted using LDAPS.

During synchronization, EdgeSync replicates the following data from Active Directory to ADAM:

• Accepted domains. • Recipients (Hashed). The recipient information is hashed using a one-way hash so

that an attacker cannot retrieve recipient information from the Edge Transport server. • Safe senders (Hashed). • Send connectors. • Hub Transport server list (for dynamic connector generation).

Note: You can force an immediate synchronization by running the Start-EdgeSynchronization cmdlet or restarting the Microsoft Exchange EdgeSync service on the Hub Transport server. You may force synchronization if you have just updated a setting on the Hub Transport server, such as creating a new SMTP Send connector, and you need to use that connector immediately.

Ports Used by EdgeSync The Edge Transport server is configured to use default port number 50389 for LDAP and default port number 50636 for LDAPS. The LDAP port is used only by administration tools to connect to the Edge Transport server instance of ADAM. All communication from the Hub Transport server to the Edge Transport server uses LDAPS.


Demonstration: How to Implement EdgeSync

By enabling EdgeSync, you can simplify the process for managing Edge Transport servers. After implementing EdgeSync, you also can configure additional rules for spam filtering, such as recipient filtering and safelist aggregation.

Key Points This demonstration’s key points are:

• The Edge Subscription must first be configured on the Edge Transport server, and then on the Hub Transport server.

• EdgeSync is always a one-way replication from Active Directory to ADAM.


Implementing EdgeSync To implement EdgeSync, you must configure both the Edge Transport and Hub Transport servers. The following steps show the EdgeSync implementation process:

1. To provision the Edge Transport server for EdgeSync, execute the New-EdgeSubscription cmdlet from the Exchange Management Shell. This cmdlet prompts for a file name, and then generates an Edge Subscription file. The command generates a public-private key pair used to encrypt data sent between the two servers and creates ADAM credentials for use during the initial replication. The ADAM credentials and key pair are placed in a file that you can then transfer to a Hub Transport server to complete the second phase of the subscription setup.

2. On the Hub Transport server, import the Edge Subscription file to the Hub Transport server by running the New-EdgeSubscription cmdlet from the Exchange Management Shell and providing the command with the path to the file. To register an Edge Transport server successfully, at least one Hub Transport server must be present on an Active Directory site. Any new Hub Transport servers that are added to the Active Directory site also subscribe to the EdgeSync subscription and participate in replication. Hub Transport servers used for the replication of information are known as EdgeConnectedBridgeheads (ECBHs).

You also can configure the EdgeSync subscription by using the Exchange Management Console on the Hub Transport server.

Important: To conduct a successful synchronization, the Hub Transport server must be able to resolve the fully qualified domain name (FQDN) for the Edge Transport server in DNS.


Discussion Questions Answer the following questions after viewing the instructor demonstration.

Q: What are the benefits of using EdgeSync?

A: When you enable EdgeSync, some configuration options on the Edge Transport server are configured based on the internal Exchange server configuration. For example, accepted domains are configured, as are the SMTP connectors required to send Internet e-mail. Recipient information is replicated to the Edge Transport server for use in anti-spam rules.

Q: Does using EdgeSync pose any security concerns?

A: Using EdgeSync poses two possible security concerns:

• EdgeSync replicates internal configuration and recipient information to a server in the perimeter network, where hackers are more likely to attack it.

• The information is sent to a perimeter network that is potentially less secure than the internal network.

These security concerns are addressed by:

• Hashing all recipient information with a one-way hash. • Using Secure Sockets Layer (SSL) to encrypt all network traffic related to EdgeSync. • Tricking The Edge Transport server will never initiate replication, so the server

cannot be tricked into replicating information outside the organization.

Note: You can see a detailed list of the demonstration steps for this module on the Student Material CD. Refer to the demonstration steps after the class or during the lab if needed.


What Is Edge Cloning?

Edge cloning involves configuring multiple Edge Transport servers with identical configurations. Edge cloning can be used to backup the configuration on one Edge Transport server, and then replicate it to another Edge Transport server for redundancy or disaster recovery.

The Exchange Server transport services running on Edge Transport servers do not support Microsoft Windows® Clustering. Therefore, to achieve high availability for messaging transport, you should ensure that multiple Edge Transport servers are available at all times. You can use edge cloning to ensure that all Edge Transport servers have the same configuration.

Note: Although ADAM supports directory replication, there is no option in Exchange Server 2007 to use directory replication to configure multiple Edge Transport servers. You must use edge cloning if you want to automate this process, and you must repeat the edge-cloning steps every time you make a configuration change on one of the servers.


Configuring Edge Cloning To configure edge cloning, you will use the ExportEdgeConfig.ps1 and ImportEdgeConfig.ps1 scripts to export configuration information from an Edge Transport server, and then import the information to another Edge Transport server. You also can use the scripts to test configuration changes and offer rollback assistance, or to assist in disaster recovery when you deploy a new Edge Transport server or replace a failed server.

Edge cloning includes the following steps:

1. During the export configuration phase, export the configuration information from an existing Edge Transport server into an XML file. Use the ExportEdgeConfig script to export the information.

2. Validate the configuration on the target server. In this step, you run the ImportEdgeConfig script without importing the settings, and then configure the script with the answer files’s name. This script checks the existing information in the intermediate XML file to see whether the settings that were exported are valid for the target server, and then creates the answer file. The answer file specifies the server-specific information that is used during the next step when you import the configuration on the target server. The answer file contains entries for each source server setting that is not valid for the target server. You can modify these settings so that they are valid for the target server. If all settings are valid, the answer file contains no entries.

3. During the import configuration phase, import the configuration data from the answer file into a new Edge Transport server. Use the ImportEdgeConfig script to import the file information.

Note: The ExportEdgeConfig.ps1 and ImportEdgeConfig.ps1 files are Windows PowerShell scripts, not individual commands. The scripts are located in the C:\Program Files\Microsoft\Exchange Server\Scripts folder on all servers running the Exchange Server 2007 Edge Transport server role.


Practice: Implementing the Edge Transport Server Role

The goal of this practice is to configure Edge Transport servers. You will begin by reviewing the default Edge Transport server implementation and using the Security Configuration Wizard to secure the computer running the Edge Transport server role. You will configure EdgeSync and confirm that replication is occurring between the Hub Transport and Edge Transport servers. You then will confirm that you can send e-mail to and from an external organization.

Objectives In this practice, you will:

• Review the default Edge Transport server configuration. • Run the Security Configuration Wizard to secure the Edge Transport server. • Configure EdgeSync. • Test sending and receiving Internet e-mail.


Instructions Ensure that the 5049A-CAI-DC1, 5049A-CAI-EDGE1, and 5049A-CAI-SRV1 virtual machines are running.

On the CAI-DC1 virtual machine, log on using the following:

• User name: Administrator • Password: Pa$$w0rd • Domain: ADATUM

On the CAI-EDGE1 virtual machine, log on using the following:

• User name: Administrator • Password: Pa$$w0rd

On the CAI-SRV1 virtual machine, log on using the following:

• User name: Administrator • Password: Pa$$w0rd

Review the default Edge Transport server configuration 1. On CAI-EDGE1, on the Start menu, point to All Programs, point to Microsoft

Exchange Server 2007, and then click Exchange Management Console.

2. Click Edge Transport. In the result pane, right-click CAI-EDGE1, and then click Properties.

3. Review the configuration on both the External DNS Lookups and Internal DNS Lookups tabs.

4. On the Limits tab, review the default settings, and then click OK.

5. In the work pane, on the Receive Connectors tab, right-click Default internal receive connector CAI-EDGE1, and then click Properties.

6. On the Network tab, review the configuration options.

7. On the Authentication tab, review the configuration options, and then click OK.

8. Close the Exchange Management Console.

9. On the Start menu, point to All Programs, point to ADAM, and then click ADAM ADSI Edit.

10. In the console tree, right-click ADAM ADSI Edit, and then click Connect to.

11. In the Connection Settings dialog box, in the Connection name box, type Configuration

12. In the Port field, change the Port number to 50389, and then click OK.


13. Expand Configuration [localhost:50389], expand CN=Configuration, CN={GUID}, expand CN=Services, expand CN=Microsoft Exchange, and then expand CN=First Organization. This container holds the Edge Transport server configuration information.

14. In the console tree, right-click ADAM ADSI Edit, and then click Connect to.

15. In the Connection Settings dialog box, in the Connection name field, type Recipients

16. In the Port field, change the port number to 50389.

17. Click Distinguished name (DN) or naming context, type OU=MSExchangeGateway and then click OK

18. Expand Recipients [localhost:50389], and then expand OU=MSExchangeGateway. Confirm that no Recipients container exists. This container is created and populated when you enable EdgeSync.

19. Minimize ADAM-adsiedit.

Run the Security Configuration Wizard 1. On CAI-EDGE1, click Start, point to Control Panel, and click Add or Remove

Programs.

2. Click Add/Remove Windows Components.

3. On the Windows Components page, in the Components list, select the Security Configuration Wizard check box, and then click Next.

4. Click Finish to complete the installation. Close Add or Remove Programs.

5. Open Windows Explorer, and then browse to C:\Program Files\Microsoft\ Exchange Server\Scripts. Copy the file named Exchange2007Edge.xml to the C:\Windows\security\msscw\kbs directory. Close Windows Explorer.

6. Open a Command Prompt window, and then type the following command to use the Security Configuration Wizard command-line tool to register the Exchange Server 2007 Edge Transport server role extension with the local security configuration database: scwcmd register /kbname:Ex2007EdgeKB /kbfile:c:\Windows\security\msscw\kbs\Exchange2007Edge.xml Press ENTER.

7. Close the Command Prompt window.

8. Click Start, point to Administrative Tools, and then click Security Configuration Wizard.

9. On the Welcome to the Security Configuration Wizard page, click Next.


10. On the Configuration Action page, ensure that Create a new security policy is selected, and then click Next.

11. On the Select Server page, click Next.

12. On the Processing Security Configuration Database page, click View Configuration Database.

13. Expand the Exchange 2007 Edge Transport node and verify that it has been installed and enabled. Review the required services and ports for this role. Close the SCW Viewer window, and then click Next.

14. On the Role-Based Service Configuration page, click Next.

15. On the Select Server Roles page, confirm that the Exchange 2007 Edge Transport server role is selected. Accept the other defaults, and then click Next.

16. On the Select Client Features page, click Next.

17. On the Select Administration and Other Options page, click Next.

18. On the Select Additional Services page, review the additional services that the wizard detected on the server, and then click Next.

19. On the Handling Unspecified Services page, ensure that Do not change the startup mode of the service is selected, and then click Next.

20. On the Confirm Service Changes page, review the service configurations that will be changed. Click Next.

21. On the Network Security page, click Next.

22. On the Open Ports and Approve Applications page, review the ports that will be opened. Take note of the approved application entries that specific Exchange related processes and services will use. Approved applications are used as an alternative to opening individual ports, so that the process or service can open whatever port it requires on a dynamic basis.

23. On the Open Ports and Approve Applications page, click Next.

24. On the Confirm Port Configuration page, click Next.

25. On the Registry Settings page, select the Skip this section check box, and then click Next.

26. On the Audit Policy page, select the Skip this section check box, and then click Next.

27. On the Save Security Policy page, click Next.

28. On the Security Policy File Name page, type C:\windows\security\msscw\ policies\CAI-EDGE1.xml as the policy file name. Click Next.

29. In the Security Configuration Warning dialog box, click OK.


30. On the Apply Security Policy page, click Apply now, and then click Next.

31. After the policy is applied, click Next.

32. Click Finish to complete the Security Configuration Wizard.

33. Click Start, point to Control Panel, and then click Windows Firewall.

34. Confirm that the firewall is enabled. On the Exceptions tab, confirm that the Exchange-related processes are listed. Click OK.

35. Restart the CAI-EDGE1 server. After the server restarts, log on as Administrator with the password of Pa$$w0rd.

Configure EdgeSync 1. On CAI-DC1, open the DNS management console from the Administrative Tools.

2. Expand Forward Lookup Zones, and then click on Adatum.com.

3. Confirm that an entry exists for CAI-EDGE1 that resolves to 10.10.0.15. The administrator typically has to configure this entry manually. However, for this practice scenario, it has been preconfigured.

4. Close the DNS management console.

5. On CAI-EDGE1, open the Exchange Management Shell, and at the prompt type New-EdgeSubscription and then press ENTER.

6. At the FileName prompt, type C:\Edge1subscription.xml and then press ENTER.

7. Read the information displayed in the Exchange Management Shell, and then press ENTER.


9. Open Windows Explorer, and then browse to drive C. Right-click Edge1subscription.xml, and then click Copy.

10. On the Start menu, click Run. In the Open text box, type \\CAI-DC1\c$ and then press ENTER.

11. Right-click the \\CAI-DC1\c$ folder, and then click Paste. Close both instances of Windows Explorer.

12. On CAI-DC1, open the Exchange Management Console, expand Organization Configuration, and then click Hub Transport.

13. Click New Edge Subscription to start the New Edge Subscription wizard.

14. On the New Edge Subscription page, click Browse.

15. In the Select the Subscription File dialog box, browse to drive C. Click Edge1subscription.xml, and then click Open.


16. On the New Edge Subscription page, click New, and then click Finish.

17. Close the Exchange Management Console.

18. On CAI-EDGE1, restart ADAM-adsiedit. Ensure that a CN=Recipients container has been created under OU=MSExchangeGateway.

Note: It may take a minute for the container to appear. If the container does not appear in that time, open the Exchange Management Shell on CAI-DC1, type Start-EdgeSynchronization and then press ENTER.

19. Click CN=Recipients, and then confirm that the users and groups from the Adatum.com domain are listed. The user and group names are not displayed as a security precaution. Instead, a hashed value of the name is displayed.

20. Close ADAM-adsiedit.

Test Internet Mail Flow 1. On CAI-DC1, open Microsoft Internet Explorer®, and then connect to

https://CAI-DC1/owa.

2. Log on as Adatum\Beth using the password Pa$$w0rd.

3. On the Microsoft Office Outlook® Web Access page, click OK.

4. Create a new message using a To address of [email protected] and a Subject of Test message 1. Send the message.

5. On CAI-SRV1, on the Start menu, point to All Programs, and then click Outlook Express.

6. Click Create Mail, and then create a new message with a To address of [email protected] and a Subject of Test Message 2. Send the message.

7. Click the Inbox folder and then click Send/Recv, and then ensure that the message from Beth arrived.

Note: It may take a minute for the message from Beth to be delivered. If the message is not delivered in that time, restart the Microsoft Exchange Transport service on CAI-DC1, and then restart the Microsoft Exchange Transport service on CAI-Edge1.

8. On CAI-DC1, click the Check Messages icon, and then ensure that the message from Carol arrived.


To prepare for the lab 1. On the host computer, click Start, point to All Programs, point to Microsoft



3. Start the 5049A-CAI-DC1, 5049A-CAI-SRV1, and 5049A-CAI-EDGE1 virtual machines.

After Completing this Practice Answer the following questions after completing this practice:

Q: What additional services and ports that may be required on the Edge Transport server need to be considered when running the SCW?

A: Some third-party applications may require additional enabled services and ports. Examples include a back-up application that remotely backs up the server or a monitoring program used to monitor the server. As a best practice, you should ensure that only required services and ports are enabled on any server in the perimeter network. This reduces the server’s attack surface.

Q: Will you enable EdgeSync in your organization? Why or why not?

A: Answers will vary. Some organizations may choose not to implement recipient filtering on the Edge Transport server, and they may choose to manually configure the SMTP connectors on the server. Some organizations may also use a third-party SMTP server as the SMTP gateway server. For organizations that implement an Edge Transport server, implementing EdgeSync is highly recommended.


Lesson 2: Configuring Internet Message Delivery

Exchange Server uses the Internet to deliver and receive messages. However, using the Internet can create security issues. In Exchange Server, the Edge Transport server role secures both inbound and outbound Internet e-mail. Inbound and outbound Internet messages are configured to flow a certain way by default. As an administrator, you can modify that message flow depending on the scenario. In this lesson, you will learn how to configure Internet message delivery.


• Describe what SMTP connectors are. • Explain the default Internet message flow. • Describe the scenarios for modifying the default Internet message flow. • Configure SMTP connectors.


What Are SMTP Connectors?

An SMTP connector is an Exchange Server component that supports one-way SMTP connections used to route mail between Hub Transport servers and Edge Transport servers or between the transport servers and the Internet. SMTP connectors are created and managed from the Exchange Management Console or the Exchange Management Shell. Exchange Server 2007 provides two types of SMTP connectors: SMTP Receive connectors and SMTP Send connectors.

Note: Exchange Server 2007 automatically creates Send and Receive connectors that are required for intra-organization e-mail flow. If you enable EdgeSync between an Edge Transport server and Hub Transport server, the SMTP connectors required for message flow to the Internet also are configured.

What Are SMTP Receive Connectors? An SMTP Receive connector is required for an Exchange Server 2007 server to accept any SMTP e-mail. An SMTP Receive connector is used to enable an Exchange Hub Transport or Edge Transport server to receive mail from any other SMTP server, including servers on the Internet, other Exchange Server 2007 Hub Transport servers, Edge Transport servers, or other Exchange Server SMTP servers.


You can configure multiple SMTP Receive connectors with different parameters on a single Exchange server. In large organizations, there can be multiple SMTP Receive connectors on a single server or on multiple servers. In small to medium-size organizations, there could be as few as two connectors—a Send connector and a Receive connector—to serve the entire organization. You do not have to create SMTP Receive connectors to route mail between Hub Transport servers in the same forest.

Each SMTP Receive connector must be configured with a port on which the connector will receive connections, local IP address or addresses that will be used for incoming connections, and a remote IP subnet that can send mail to this SMTP Receive connector. The combination of these three properties must be unique across every SMTP Receive connector in the organization.

What Are SMTP Send Connectors? An SMTP Send connector is required for an Exchange Server 2007 computer to send any SMTP e-mail. SMTP Send connectors are required to send e-mail to any SMTP server on the Internet or to any SMTP servers in the same Exchange Server organization.

Note: By default, the only SMTP Send connectors that are configured on Hub Transport servers are used to communicate with other Hub Transport servers in other sites. These dynamically created SMTP Send connectors are not visible in any management tools and their configuration can not be modified.

How to Manage the SMTP Connectors You can use the Exchange Management Console or the Exchange Management Shell to create, configure, or view the SMTP connectors. In the Exchange Management Console, SMTP Receive connectors are configured for each Hub Transport server, while Send connectors are configured in the Organization Configuration work area. To manage connectors using the Exchange Management Shell, use the ReceiveConnector and SendConnector commands.


Default Internet Message Flow

The primary role for the Edge Transport server is to secure both inbound and outbound Internet e-mail. After you enable Edge Subscription between the Hub Transport servers in your organization and the Edge Transport servers in the perimeter network, both inbound and outbound Internet e-mail is enabled.

Default SMTP Connectors When you install the first Hub Transport server in an Exchange Server 2007 organization, two SMTP Receive connectors are created. When you install an Edge Transport server, it is configured by default with an SMTP Receive connector. When you enable Edge Subscription, two SMTP Send connectors are created. The following table lists these connectors.


Connector name Connector type Description

Client servername SMTP Receive connector

• Created on each Hub Transport server. • Accepts connections from all remote IP

addresses on port 587 for message relay. • Does not accept anonymous connections.

Default servername SMTP Receive connector

• Created on each Hub Transport server. • Accepts connections from all remote IP

addresses on port 25. • Does not accept anonymous connections.

Default internal Receive connector servername

SMTP Receive connector

• Created on each Edge Transport server. • Accepts connections from all remote IP

addresses on port 25. • Accepts anonymous connections.

EdgeSync - inbound to Sitename

SMTP Send connector • Created on the Edge Transport server by Edge Subscription.

• Created in Active Directory, and then replicated to the Edge Transport server by edge synchronization.

• Settings such smart hosts and address space are defined by the Edge Subscription.

EdgeSync – Sitename to Internet

SMTP Send connector • Created on the site defined by Edge Subscription.

• Created in Active Directory, and then replicated to the Edge Transport server by edge synchronization.

• Source server is the Edge Transport server on which Edge Subscription is enabled.

• Address space of *. • Uses DNS to locate SMTP servers on the

Internet.

Note: The Client servername Receive Connector is configured to listen on port 587 rather than port 25. As described in RFC 2476, port 587 has been proposed to be used only for message submission from e-mail clients that require message relay. For more information on this RFC, see The Internet Engineering Task Force Web site.


Default Message Transfer After enabling EdgeSync, e-mail flows through the Exchange Server organization using the following steps:

1. A user submits a message to a Mailbox server. The Hub Transport server retrieves the message from the Mailbox server and categorizes it for delivery. In this case, the message recipient is outside the organization.

2. The Hub Transport server determines that it must use the EdgeSync – Sitename to Internet Send connector to send e-mail to the Internet. It locates a Hub Transport server that is identified as a bridgehead server for the EdgeSync – Sitename to Internet Send connector. By default, all Hub Transport servers on the Active Directory site are bridgehead servers.

3. The Hub Transport server forwards the message to the Edge Transport server, which sends the e-mail message to the Internet using the EdgeSync – Sitename to Internet Send connector.

4. For inbound messages, the sending SMTP connector connects to the Edge Transport server. The Edge Transport server accepts this connection using the Default internal Receive connector servername, which is configured to accept anonymous connections on port 25 from all IP addresses. The Edge Transport server applies all spam filtering rules.

5. If the message is accepted, the Edge Transport server uses the EdgeSync-inbound to sitename to forward the message to a Hub Transport server configured to accept Internet messages.

6. The Hub Transport server uses the Default servername connector to receive the message, and then forwards the message to the appropriate Mailbox server.

Note: Before Internet mail can be enabled, you must ensure that the Edge Transport servers can resolve Internet names using DNS, and that your organization’s MX records point to the Edge Transport servers.


Discussion: Scenarios for Modifying the Default Internet Message Flow

When you install the Edge Transport and Hub Transport servers, and you enable EdgeSync, e-mail messages will flow to and from the Internet using the default configuration. In some cases, you may want to modify that default configuration.

Discussion Questions Answer the following questions in your discussion:

Q: Under what circumstances would you change the default configuration for the SMTP connectors?

A: The circumstances for which you would change the SMTP connectors default configuration are:

• When you configure a smart host, because when you configure a smart host, all messages are routed through an external SMTP server.

• When you configure authentication to require identification or to require Transport Layer Security (TLS) encryption.


Q: Under what circumstances would you create additional SMTP connectors?

A: You would create additional SMTP connectors to address special outbound message delivery requirements for partner organizations. For example, you might configure an SMTP Send connector with the address space equal to the domain name of a partner organization, so that all messages to the partner organization are sent through the Send connector.

Also, you would create additional SMTP connectors to provide different options for inbound authentication or encryption requirements. For example, you might set up a Receive connector that requires authentication and TLS encryption, and then instruct users and partner organizations to use the IP address associated with that Receive connector. You also might configure inbound messages from the partner organizations so that they are not scanned for spam.


Demonstration: How to Configure SMTP Connectors

To modify the default message flow in an Exchange Server 2007 organization, you need to configure SMTP connectors.

Key Points The key points of this demonstration are that:

• You can create SMTP Send and Receive connectors by using the Exchange Management Console or the Exchange Management Shell.

• Some options can only be configured by using the Exchange Management Shell.


Discussion Questions After the instructor demonstration, answer the following questions:

Q: How do SMTP Send connectors and Receive connectors meet the needs of the scenarios discussed in the previous topic?

A: You can configure as many SMTP connectors as required, as long as each connector is unique. You can then configure each SMTP connector with unique properties that address security or message routing requirements.

Q: How will you need to configure SMTP connectors in your organization?

A: Answers will vary. For many organizations, the default connectors that Edge Synchronization configures likely will provide all needed functionality. Larger organizations or those with complex security requirements will require additional SMTP connectors.

Note: You can see a detailed list of the demonstration steps for this module on the Student Material compact disk. Please refer to the demonstration steps after class or during the lab if needed.


Lesson 3: Configuring Security for Internet E-Mail

One of the important considerations when sending e-mail to and from the Internet is that messages sent using SMTP inherently are not secure. This module describes the options and details how to configure security for SMTP e-mail.


• Describe the security concerns associated with using SMTP e-mail. • Describe the options for securing SMTP e-mail. • Describe the public key infrastructure (PKI) requirements to implement SMTP

security. • Describe Domain Security. • Configure authentication and Transport Layer Security (TLS). • Explain how Internet Protocol security (IPSec) works. • Explain how Secure/Multipurpose Internet Mail Extensions (S/MIME) works. • Configure Outlook to use S/MIME.


Discussion: What Are the Security Concerns with SMTP E-Mail?


Q: What security concerns does SMTP e-mail raise?

A: SMTP messages can be easily captured and read. SMTP e-mail is sent in clear text or is MIME encoded. In either case, any SMTP message that can be captured using a network sniffer can be easily read.

SMTP messages cannot be verified. For most SMTP messages, you cannot verify that the sender is actually the address from which the message appears to come. You also cannot verify whether the message has been modified in transit.

SMTP e-mail connections are not authenticated. If you want to receive e-mail from most Internet recipients, you must configure at least one SMTP server that will accept anonymous connections from any Internet IP address.


Q: What steps have you taken to enhance the security of SMTP e-mail? What reasons do you have if you have not taken any steps?

A: Answers will vary. Most organizations have probably not done anything to implement SMTP security. This is because it has not been identified as a requirement, and because it can be difficult to implement and manage. Some organizations will have implemented features such as S/MIME or Pretty Good Privacy (PGP).

Some organizations also try to address the security issue by developing policies specifying what types of messages can or cannot be sent to external recipients. For example, an organization may implement a policy that employees must never send private customer information by e-mail.

Q: How successful has your implementation been? What are the frustrations with your implementation?

A: For most organizations, implementing SMTP e-mail security provides a high level of security, but the implementation is difficult. If organizations have implemented S/MIME, the process of deploying a certificate to each required user is expensive and a time-consuming activity. Users are also unreliable in using S/MIME consistently.

For organizations that have implemented policies to address security questions, the difficulty is that these policies often are almost impossible to enforce and may interfere with regular business processes.


Options for Securing SMTP E-Mail

Because of the inherent lack of security with SMTP e-mail, many organizations are looking for additional security options.

Additional Security There are several technologies available to provide additional security:

• Authentication and authorization. You can use authentication and authorization to limit who can send e-mail to your organization. For example, you can configure an SMTP Receive connector to not accept anonymous connections. You can then specify what types of authentication the connector will accept and configure which accounts have permission to establish SMTP connections to that connector. In this scenario, you must provide the organizations that are sending e-mail to you with a user account that enables authentication of the SMTP connections.

Important: Because almost all SMTP servers use anonymous connections when sending e-mail, you will block almost all e-mail if you require authentication. However, you can use authentication to provide additional security for e-mail sent from partner organizations.


• Transport Layer Security (TLS). TLS, which is defined in RFC 2246, is a protocol for establishing a secure connection between a client and a server. When you implement TLS, the server (or both the server and client) is authenticated, and then all data sent between the two computers is encrypted. TLS uses server and client certificates to provide authentication, and public and private keys provide encryption. With TLS, you can ensure that all SMTP servers connecting to your SMTP server are authenticated, and all messages sent to your server are encrypted.

Note: TLS is similar to Secure Sockets Layer (SSL), but the two technologies are not interchangeable. For detailed information on TLS, see The Internet Engineering Task Force Web site.

• Internet Protocol security (IPSec). You can use IPSec to provide a secure channel between two computers. When you configure IPSec, the computer connections are authenticated, and then all data is encrypted. IPSec is typically used to secure network traffic within an organization or to provide encryption for Layer Two Tunneling Protocol (L2TP) virtual private networks (VPNs). IPSec can use certificates, Kerberos authentication, or a preshared key to authenticate computers and create the required encryption keys.

• Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME enables digital signing and message content encryption for e-mail messages. A digital signature validates the message sender and ensures that the message contents are not modified during transit. Encryption ensures that the message contents cannot be read while in transit. To implement S/MIME, a digital certificate must be installed on the sending computer, and the certificate and public key must be provided to all recipients of encrypted messages. Normally, the digital certificate and public key are provided by sending a digitally signed message.


PKI Requirements to Implement SMTP Security

Regardless security option you choose for SMTP e-mail messages, you must deploy digital certificates on your Edge Transport servers and possibly to the e-mail clients in your organizations. Public key infrastructure (PKI) distributes and manages the required digital certificates.

What Is a PKI? A PKI is an integrated set of services and administrative tools used for creating, deploying, and managing certificates used by public key-based applications, such as applications that send digitally signed and encrypted e-mail messages.

A PKI includes the components listed in the following table.

PKI component Description

Digital certificate Authenticates users and computers.

Certification authority (CA) Issues certificates to users, computers, and services, and then manages them.

Certificate template Defines the content and purpose of a certificate. You can create one certificate template for digital signature capabilities and another for encryption capabilities. Note that one certificate template can be created for both capabilities.

Certificate revocation list (CRL)

Lists the certificates that are revoked by a CA before the certificates reach their scheduled expiration date.


PKI component Description

Certificate publication point and CRL distribution point

Provides locations where certificates and CRLs are made publicly available. Certificates and CRLs can be made available through a directory service, such as X.500, LDAP, or directories that are specific to the operating system and Web servers.

Certificate and CA management tools

Manages issued certificates, publishes CA certificates and CRLs, configures CAs, imports and exports certificates and keys, and recovers archived private keys.

Applications and services that are enabled by public keys

Uses certificates for e-commerce and secure network access by using digital signature and encryption capabilities.

A certificate includes a public key and a private key. By default, the private key is stored only on the computer from which a certificate request is made. The key decrypts and signs messages. The public key is distributed to any computer or user that requests it, and is used to encrypt messages and check the digital signature on signed messages.

Choosing a CA When deploying an SMTP security solution, the most important consideration is what type of CA you will use. You have two options:

Option Description

Obtaining certificates for your servers and clients from a commercial CA.

The biggest advantage of purchasing digital certificates from a commercial CA is that the certificates will be trusted by computers external to your organization. For TLS authentication, IPSec authentication using certificates, and S/MIME to work, all computers must trust the certificates used by the other computers. If you purchase a certificate from a commercial CA, all computers will automatically trust the certificates.

Implementing a private CA. You can install and configure a CA on any computer running Windows Server 2003 or Windows 2000 Server. One of the benefits of installing your own CA is that you can automate certificate distribution and management by using Active Directory policies. The primary disadvantage of using a private CA is that no external clients will trust your certificate.

Note: If you are using digital certificates to provide security for SMTP e-mail, you must deploy a certificate trusted by all computers that will be sending you secure e-mail. In most cases, this will require a certificate from a commercial CA.

Note: Integrate the private CA with a commercial CA by purchasing a certificate from the commercial CA and using that certificate when creating the private CA. This option enables you to manage your own certificates, which external clients will trust.


What Is Domain Security?

Exchange Server 2007 can use TLS to provide security for SMTP e-mail. In most cases, you cannot use TLS when sending or receiving e-mail because most SMTP servers are not configured to use TLS. However, by requiring TLS for all SMTP e-mail sent between your organization and other specified organizations, you can enable a high security level for SMTP e-mail.

What Is Domain Security? Domain Security is an implementation of Exchange Server 2007 and Microsoft Office Outlook 2007 functionality that provides a high level of security for SMTP e-mail sent between organizations. Domain Security uses TLS with mutual authentication to provide session-based authentication and encryption. This means that all connections between the partner organizations are authenticated, and all messages are encrypted while they are in transit on the Internet.

TLS with mutual authentication differs from TLS as it is usually implemented. Typically, when you implement TLS, the client verifies a secure connection to the intended server by validating the server’s certificate, which is received during TLS negotiation. With mutual TLS, each server verifies the connection with the other server by validating a certificate that the other server provides.


Configuring Domain Security To set up Domain Security, perform the following steps:

Step Description

1. On the Edge Transport server, generate a certificate request for TLS certificates.

You can request the certificate from an internal private CA, or from a commercial CA. The SMTP server in the partner organization must trust the certificate. When you request the certificate, ensure that the certificate request includes the domain name for all internal SMTP domains in your organization.

2. Assign the certificate to the SMTP connectors.

After you request the certificate, you must assign the certificate to the SMTP connectors used to send and receive domain secured e-mail.

3. Configure outbound Domain Security.

To configure outbound Domain Security, use Exchange Management Shell commands to specify the domains to which you will send domain secured e-mail, and then configure the SMTP Send connector to use domain secured e-mail.

4. Configure inbound Domain Security.

To configure inbound Domain Security, use Exchange Management Shell commands to specify the domains to which you will receive domain secured e-mail, and then configure the SMTP Receive connector to use domain secured e-mail.

Note: When you install the Edge Transport server role, a self-signed certificate is issued to the server. This certificate is not trusted by any other computers. When you request that the partner organization trust the certificate, you should purchase a certificate from a commercial CA.


Demonstration: How to Configure Authentication and TLS Security

To provide additional security for SMTP e-mail, you can configure authentication and encryption for SMTP Send and Receive connectors. When you configure these options, you also can enable Domain Security for all e-mail sent to and from partner organizations.

Authentication Options for Receive Connectors The following table describes the authentication options for Receive connectors.

Authentication mechanism Description

None No authentication options are offered.

Transport Layer Security (TLS)

The connector offers STARTTLS to clients. If the client is configured to support TLS, and the client trusts the server certificate, TLS will be used to authenticate the session and encrypt e-mail sent during the session.

Integrated Windows authentication

The connector offers AUTH plus NTLM Generic Security Services Application Programming Interface (GSSAPI) to clients. The AUTH response from the server indicates that it is ready to accept authenticated connections. GSSAPI enables clients to negotiate either NTLM or Kerberos. The client must be configured with a user account that has permission to send e-mail to the connector.



Basic authentication The connector offers AUTH plus LOGIN to clients. The user name and password are received in clear text from the client. The client must be configured with a user account that has permission to send e-mail to the connector.

Basic authentication over TLS

This is the policy modifier for Basic authentication. The connector offers AUTH plus LOGIN to the client only after the client has negotiated TLS. This mechanism also requires that TLS be set as the authentication mechanism.

Exchange Server authentication

The connector offers Exchange Protocol Security (EXPS) plus GSSAPI for Exchange servers that are running earlier versions of Exchange Server and X-ANONYMOUSTLS to clients for Exchange 2007 servers. This option is used only for securing e-mail sent between Exchange servers in the same organization.

Externally Secured (for example, with IPSec)

This option considers any connection as coming from another authoritative server.

Authentication Options for Send Connectors For a Send connector, the SmartHostAuthMechanism setting determines how the sending server authenticates with the target smart host. If a SmartHostAuthMechanism is configured, the authentication must succeed before e-mail is sent.

The following table lists the authentication options for smart hosts.


None Anonymous access is allowed.

Basic authentication The connector must use AUTH plus LOGIN. This requires that you provide a user name and password. Basic authentication sends credentials in clear text. All smart hosts with which this Send connector is authenticating must accept the same user name and password. If the RequireTLS parameter is also set to $True, the connector must use TLS before submitting credentials, but no server certificate verification is performed.

Basic authentication requires TLS

This is a policy modifier for Basic authentication. It requires that the connector use TLS before it tries AUTH. It also requires the sending server to perform X.509 certificate validation of the receiving server. Certificate validation includes checking the CRL and matching the server identity against the list of smart hosts configured on the connector before it tries AUTH. One of the fully qualified domain names (FQDN) listed as a smart host must be present in the server certificate for name matching to succeed. Therefore, if the FQDN of the smart host points to an MX record, the listed smart host FQDN must be present in the certificate.

Exchange Server authentication

The connector must use either EXPS plus GSSAPI for Exchange servers that are running earlier versions of Exchange Server or X-ANONYMOUSTLS for Exchange 2007 servers.

Externally Secured (for example, with IPSec)

The network connection is secured by using a method that is external to the Exchange server.


Key Points The key points of this demonstration are:

• You can configure different types of authentication types for SMTP Send and Receive connectors.

• You create a default certificate when you install Exchanger Server. • By combining authentication and TLS encryption, you can provide a high level of

security for SMTP e-mail.


Q: Under what circumstances might you choose to require authentication for SMTP Receive connectors?

A: If you want to ensure that only specified users or organizations can send e-mail through the SMTP Receive connector, you should enable authentication. You will have to issue a user name and password to all SMTP servers that need to authenticate to your server.

Q: Under what circumstances might you choose to configure authentication for SMTP Send connectors?

A: You would configure authentication for the SMTP Send connector only if the destination organization required that you use authentication. The other organization would need to provide you with a user name and password that the Exchange Server will use to authenticate.

Q: When would you install a new digital certificate for your Exchange Server?

A: You will need to install a new certificate if you need to enable TLS encryption, and the partner organization does not want to configure their SMTP servers to trust the default certificate installed on your Edge Transport servers.



How IPSec Works

IPSec typically is used to provide a secure connection between two computers on the same network. IPSec authenticates computers and encrypts data for transmission between hosts.

How IPSec Encryption Works IPSec encryption occurs after an application passes a request to Windows Server to send to another server. For example, if you are using IPSec to secure SMTP e-mail, the Exchange Server would create the SMTP packets, and then send the packets as it normally would. However, before the traffic leaves the server, the IPSec driver intercepts the packets, negotiates a secure connection with the destination server, and sends the packets over the secure channel. The encryption is transparent to the application.

By using IPSec, you can create a secure channel between any computers on your network. One benefit of IPSec is that you can send any kind of network traffic between two computers without having to open ports for each type of traffic on firewalls located between the two servers. All application protocols are tunneled through the IPSec connection, so only the ports required for IPSec need to be enabled.

What Are IPSec Policies? To enable IPSec, you must create IPSec policies. You can create and configure IPSec policies for individual computers by using Local Security Policy, or you can use Group Policy to create and configure IPSec policies for a group of computers.


When you configure an IPSec policy, you can configure the following options:

• You can configure the policy so that the server will require IPSec, request IPSec, or respond with IPSec when IPSec is requested by another computer.

• You can configure the policy to apply to connections with all computers or apply only to connections with specific computers or groups of computers.

• You can configure the policy to apply to all protocols or only to specific protocols. • You can configure the type of authentication that will be accepted. The IPSec

authentication options include: • Certificates. You should use this option when configuring IPSec connections

with an external server.

• Kerberos. You should use this option when configuring IPSec connections with other computers in the same Active Directory forest.

• Preshared key. This authentication option is similar to assigning a password to initiate the connection. This option is not secure and should be used only in testing environments.

When to Use IPSec While IPSec provides a high level of security, you would normally not use IPSec to secure SMTP e-mail. IPSec is difficult to configure and maintain between partner organizations. In most cases, it is easier to configure TLS, which provides an equivalent level of security.

Note: In previous versions of Exchange Server, IPSec is used to secure the connection between a front-end server in a perimeter network and the internal network. IPSec is recommended in this situation because the front-end server has to be a member of the same Active Directory forest as the internal Exchange Server computers. If IPSec is not used in this scenario, you need to open many ports on the internal firewall.


How S/MIME Works

S/MIME is a messaging client-based solution for securing SMTP e-mail. With S/MIME, each client computer must have a certificate, and the user is responsible for signing or encrypting each e-mail.

How S/MIME Secures E-Mail S/MIME provides security for e-mail by using the following:

• Digital signatures. When a user chooses to add a digital signature to a message, hash value of the message is calculated and encrypted by using the sender’s private key. The encrypted hash value is appended to the message as a digital signature. The user’s certificate and public key are sent to the recipient. When the recipient receives the message, the sender’s public key is used to decrypt the hash value, and then the hash value is checked against the message. Digital signatures provide: • Authentication. If the public key can decrypt the hash value attached to the

message, the recipient knows that the message was sent by the person or organization who claims to have sent the message.

• Nonrepudiation. Only the private key associated with the public key could be used to encrypt the hash value, so a message that is digitally signed helps to prevent its sender from disowning the message.

• Data integrity. If the hash value is still valid when the recipient receives it, any alteration of a message that takes place will invalidate the digital signature.


• Message encryption. When a user chooses to encrypt a message using S/MIME, the messaging client generates a one-time symmetric session key and the entire message is encrypted using the session key. The session key is then encrypted by using the recipient’s public key, and the encrypted session key is combined with the encrypted message when the message is sent. When the message arrives at the recipient, the recipient’s private key is used to decrypt the message. Message encryption enhances confidentiality. You can decrypt a message using only the private key associated with the public key that was used to encrypt the message. Therefore, only the intended recipient can view the contents.

When to Use S/MIME S/MIME is a fairly complicated way to provide security for SMTP e-mail because S/MIME:

• Requires a client certificate on each computer that is used to send secure e-mail. Distributing client certificates for users that do not understand the technology takes significant administrative time.

• Requires that a sender get access to the recipient’s public key before the sender can send an encrypted e-mail. Normally, this is accomplished by sending a digitally signed e-mail.

• Is a user-based security model. The user has to take the action to sign or encrypt the message. Users may forget or they not realize which e-mail messages to secure.

• Requires certificate backups. The certificates must be backed up because if one is lost, the user will not be able to decrypt messages that were encrypted with the public key associated with the certificate.

• Introduces another complication. Because the messages entering or leaving the organization are encrypted, and the messages remain encrypted in the user mailbox, the messages cannot be scanned for policy compliance, viruses, or spam.

Despite these issues, S/MIME remains the best option for securing individual e-mail messages. To set up a secure channel, all other solutions require some level of agreement between messaging administrators in the two organizations. If users need to send secure e-mail to recipients in many different organizations, S/MIME is the most feasible option.


Demonstration: How to Configure Outlook to Use S/MIME

One of the ways to secure SMTP e-mail is to use S/MIME to encrypt and digitally sign the e-mail messages before they are sent. To enable S/MIME, you must install certificates on client computers, and then the users must choose to encrypt and sign the e-mail messages before they send them.

Discussion Questions Answer the following questions after viewing the instructor demonstration:

Q: Does your organization have partners or other organizations that require the S/MIME type of security?

A: Answers will vary. Some organizations may have some users set up with S/MIME so that those users can send and receive secure e-mail. These users may be dealing with confidential information that they need to send to other organizations.


Q: What are the limitations with implementing security using this process?

A: There are several limitations:

• It takes considerable management effort to set up users with S/MIME. • If users lose their certificates, they will not be able to read any messages encrypted

using that certificate’s public key. • Users may forget to secure messages that require securing. • Users must get certificates from other users to send them encrypted e-mail.



Lab: Configuring Edge Transport Servers

After completing this lab, you will be able to configure domain security.

Estimated time to complete this lab: 30 minutes.


• Start the 5049A-CAI-DC1, 5049A-CAI-EDGE1, and the 5049A-CAI-SRV1 virtual machines.

• Complete the following steps to implement an Edge Subscription between the Hub Transport server and the Edge Transport server. a. On CAI-EDGE1, click Start, point to All Programs, Microsoft Exchange


b. At the prompt type the following and then press ENTER: D:\Mod02\Labfiles\EdgeScript.ps1 Press ENTER at the confirmation.

c. At the prompt type the following and then press ENTER: D:\Mod02\Labfiles\CopyEdgeScript.cmd


d. On CAI-DC1, click Start, point to All Programs, Microsoft Exchange Server 2007, and then click Exchange Management Shell.

e. At the prompt type the following and then press ENTER: C:\ImportEdgeSub.ps1

f. Close the Exchange Management Shell.

Lab Scenario You are a messaging administrator with A. Datum Corporation. The messaging engineer has identified security requirements for e-mail sent to external organizations. All e-mail sent to, and received from, Contoso, Ltd, a partner organization, must be encrypted. When users receive an e-mail from this organization in their mailbox, they should see an icon that indicates that the e-mail has been secured. To enable this messaging security, both organizations will use an external certificate from the Trey Research CA.


Exercise: Configuring Domain Security In this exercise, you will configure Domain Security for e-mail sent to, and received from, Contoso, Ltd. For this exercise, you will only set up the A. Datum Corporation side of the configuration.

Scenario Contoso, Ltd and A. Datum Corporation have agreed on a process for exchanging secure e-mail. Each organization will configure a dedicated SMTP server or connector to send e-mail between them.

The principal tasks for this exercise are:

• Configure specific SMTP connectors on the A. Datum servers with a certificate for TLS authentication and encryption. These connectors will be used only for Contoso communication.

• Configure the Outbound and Inbound domain security lists.


1. Request and install a certificate from a third-party CA.

• On CAI-EDGE1, use the New-ExchangeCertificate -GenerateRequest –FriendlyName ‘Secure E-Mail Certificate’ -Path C:\certrequest.req -SubjectName “DC=com,DC=Adatum,CN=CAI-EDGE1.adatum.com” –DomainName ‘adatum.com’ command to request a new certificate.

• Copy the certificate request file to \\CAI-SRV1\c$. • On CAI-SRV1, in the Certification Authority MMC snap-in, submit a

new certificate request using the request file from CAI-EDGE1. • Issue the new certificate. • Copy the certificate to a file named IssuedCert.cer, and then copy the

file to \\CAI-EDGE1\c$. • Use the Import-ExchangeCertificate –Path C:\Issuedcert.cer | Enable-

ExchangeCertificate –Services SMTP command to import the certificate.

2. On CAI-EDGE1, add a new IP address of 10.10.0.25 to the Local Area Connection. This IP address will be used for the dedicated connection with Contoso, Ltd.

• On CAI-EDGE1, access the Local Area Connection properties. • Add the IP address 10.10.0.25 with the subnet mask of 255.255.0.0 to

the Local Area Connection.

3. On CAI-EDGE1, modify the configuration of the default SMTP Receive connector, and then create an SMTP Receive connector that will be used to receive e-mail from Contoso.com.

• On CAI-EDGE1, modify the configuration of the Default internal Receive connector CAI-EDGE1 so that it will receive network connections only on IP address 10.10.0.15.

• In the Exchange Management Console, create a new Receive connector with the following configuration: • Name: Contoso Receive Connector • Intended use: Partner • Local Network: 10.10.0.25 • Remote Network: 10.10.0.11



4. On CAI-DC1, create an SMTP Send connector that will be used to send e-mail to Contoso.com. With EdgeSync enabled, all Send connectors must be configured in the Hub Transport server.

• On CAI-DC1, create a new Send connector with the following configuration: • Name: Contoso Send Connector • Intended use: Partner • Address space: contoso.com • Source Server: CAI-EDGE1

• In the Exchange Management Shell, force the EdgeSync process to run immediately by running the Start-EdgeSynchronization cmdlet.

5. On CAI-DC1, configure the outbound and inbound domain security lists.

• On CAI-DC1, in the Exchange Management shell add contoso.com to the send domain list by using the following command: Set-TransportConfig -TLSSendDomainSecureList contoso.com.

• In the Exchange Management shell add contoso.com to the receive domain list by using the following command: Set-TransportConfig -TLSReceiveDomainSecureList contoso.com.

• Verify the configuration by using the following command: Get-TransportConfig

Discussion Questions At the end of this exercise, answer the following questions as a group:

Q: Does your organization have partners or other organizations that require the security enabled by SMTP connectors configured to require authentication and TLS encryption?

A: Answers will vary. Most organizations have not set up these relationships because it was difficult to set up in previous versions of Exchange Server.

Q: What are the limitations and benefits with implementing security using this process?

A: The primary limitation with configuring Domain Security is that you have to set up the relationship with each partner organization. The primary benefit of using this approach is that once you have enabled the secure connections, all e-mail sent to and from the organization will be secured by TLS authentication and encryption without requiring user involvement. Additionally, e-mail sent between the partner organizations still can be scanned for spam and viruses, because the Edge Transport server decrypts the messages.



To prepare for the next module 1. On the host computer, click Start, point to All Programs, point to Microsoft



3. Start the 5049A-CAI-DC1 and 5049A-CAI-CL1 virtual machines.

Module 3: Implementing Messaging Policies


Lesson 1: Introducing Messaging Policy and Compliance 3-2

Lesson 2: Implementing Messaging Records Management 3-9

Lesson 3: Implementing Transport and Journaling Rules 3-18

Lab: Implementing Messaging Policies 3-32 Course Evaluation 3-38







Version 1.1

Module 3: Implementing Messaging Policies 3-1

Overview

Microsoft® Exchange Server 2007 provides new tools for coping with a growing number of e-mail legal, regulatory, and internal policy and compliance requirements. Most organizations must be able to filter e-mail delivery based on different criteria and manage e-mail retention and deletion. This module details about how to configure the Exchange Server 2007 messaging policy and compliance features.


• Describe messaging policy and compliance. • Implement messaging records management. • Implement transport and journaling rules.

3-2 Module 3: Implementing Messaging Policies

Lesson 1: Introducing Messaging Policy and Compliance

Messaging policies in Exchange Server 2007 provide options for messaging administrators to manage e-mail messages that are in transit throughout the organization and to manage e-mail messages that users store in their mailboxes. This lesson is important because it provides an overview of messaging policies and how to use them.


• Describe compliance requirements. • Describe how messaging policies can help address compliance requirements. • Describe messaging policy implementation options.


Discussion: Common Compliance Requirements

E-mail is a primary means of communication in many organizations, and a great deal of business information is sent by e-mail. This information may include confidential information, such as customer data or business intelligence. One use of messaging policies in Exchange Server 2007 is to provide features that help you to comply with legal requirements and corporate messaging policies regarding e-mail messages.


Q: What type of business is your organization? What are some legislated compliance requirements for your organization?

A: Answers will vary depending on the type of business the organization conducts. Some examples of legislation restricting how organizations manage information include:

• United States: • Sarbanes-Oxley Act of 2002 (SOX)

• Gramm-Leach-Bliley Act (Financial Modernization Act)

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USAPatriot Act)


• Canada: • The Personal Information Protection and Electronic Documents Act

• Australia: • Federal Privacy Act

• Europe: • European Union Data Protection Directive (EUDPD)

• Japan: • Japan’s Personal Information Protection Act

Q: What additional compliance requirements does your organization have?

A: Organizations might have additional requirements for managing e-mail. For example, the organization might want to add legal disclaimers to outgoing communications or require that certain messages require an intellectual property disclosure disclaimer. The organization also might have message-retention requirements that mandate that certain messages be retained and others deleted after a specified time.

Q: What issues do these requirements raise for your organization? How are you addressing these issues?

A: Answers will vary. Traditionally, addressing any of these requirements has been difficult. Answers may include:

• Using a third-party archiving tool to archive all messages. • Using policies to regulate what types of information can be sent by e-mail. • Using auditing to enforce policies. • Using Simple Mail Transfer Protocol (SMTP) servers that scan messages for content

and apply disclaimers.


How Messaging Policies Can Help Address Compliance Requirements

Exchange Server 2007 provides messaging polices that address many legal and corporate requirements for managing information.

What Are Messaging Policies? Messaging policies in Exchange Server 2007 are a set of rules and settings that apply restrictions for message flow and storage. You can use messaging policies to apply rules to messages in transport and to enforce message-retention requirements in user mailboxes.

Messaging Policies and Compliance Requirements Exchange Server 2007 provides three types of messaging policies:

• Transport policies are rules and settings that are applied as messages pass through the Exchange Server 2007 transport components. Transport policies can set restrictions on message flow or modify message contents based on organizational requirements. For example, you can set restrictions on which users are allowed to send e-mail to each other or on message flow based on message contents, or you can apply legal disclaimers to specific messages. To meet compliance requirements for messages sent inside the organization, configure the transport rules on the Hub Transport server. To meet compliance requirements for messages sent to the Internet, you can configure transport rules on Hub Transport or Edge Transport servers.


• Journaling policies are rules and settings that enable you to save a copy of all messages that meet specified criteria. These policies can help address message archival requirements. For example, you can journal messages sent by a particular user or messages sent to a particular distribution group. You can journal messages sent or received from recipients inside and outside the organization. When you configure journaling, the messages are sent to a specified SMTP address as a journal report. The journal report is an e-mail message that includes message data, such as senders, recipients, and message deliver times, together with an attachment containing the original message.

• Messaging records management policies are rules and settings that are applied to folders in a user’s Inbox to automate and simplify message retention. For example, you can configure a policy that will retain messages in a folder in a user mailbox for a specified time. Or you can configure a policy that will automatically delete messages in a specified folder. When users move messages into the specified folders, the messaging records management policies are applied automatically.


Messaging Policy Implementation Options

Messaging Policy Implementation Options Exchange Server 2007 provides many different agents and options for implementing messaging policies, including the following.

Rule Agent Description

Edge transport rules

Edge Transport rule agent

The Edge Transport rule agent processes messages that are sent to and from the Internet. By configuring edge transport rules, you can restrict message flow based on message data, such as specific words or text patterns in the message subject, body, header, or From address; spam confidence level (SCL); or attachment type. You can configure the transport rules to quarantine messages, drop or reject a message, append additional recipients to a message, or log an event. Edge transport rules must be configured on each Edge Transport server because these rules are not replicated between servers.

Hub transport rules

Hub Transport rule agent

The Hub Transport rule agent processes messages that are sent to or from users in the organization, and to or from the Internet. Hub Transport rules are applied in the same way on all Hub Transport servers in the organization. Hub Transport rules support an extended set of conditions, letting you control message flow based on distribution groups, internal or external recipients, message classifications, and message importance. Possible actions include applying a message classification, appending disclaimer text, redirecting the message to an address, removing the message header, or logging an event.


Rule Agent Description

Disclaimers. Transport Rules agent

You also can configure transport rules to add disclaimer text to the start or end of the message body. These disclaimers can be customized and can contain text that refers to accidental disclosure of the message contents, or of proprietary or confidential information.

Journaling rules

Journaling agent You configure journal rules on the Hub Transport server. Messages can be copied to the journal agent according to the distribution scope of the message. The conditions that trigger the journaling action are refined by specifying as criteria an individual user or the sender’s or recipient’s distribution list membership.

Address rewriting rules

Address Rewriting agent

You configure the Address Rewriting agent on the Edge Transport server role to enable the modification of the SMTP addresses on inbound and outbound messages. Address rewriting is useful when an organization has several internal domains but wants to use a single SMTP domain for Internet e-mail.

Messaging records management policies

Applied in a Mailbox server

Administrators can use the messaging records management features to retain messages needed for business or legal reasons and delete messages that are necessary. Retention policies can be applied to folders that the administrator creates and to default mailbox folders, such as the Inbox or Sent Items folder. When a message reaches a retention limit, it can be archived, deleted, flagged for user attention, or logged.


Lesson 2: Implementing Messaging Records Management

An important requirement for many organizations is to manage the e-mail stored in users’ mailboxes. In some cases, organizations might need to retain some messages, whereas other messages might need to be deleted after a specified time. Exchange Server 2007 uses messaging records management to implement this functionality.


• Describe what messaging records management is. • Explain the deployment process for messaging records management. • Implement managed custom folders and content settings. • Configure message mailbox policies. • Apply the considerations for implementing messaging records management.


What Is Messaging Records Management?

Messaging records management is designed to help organizations manage e-mail messages that users store in their mailboxes. When you implement messaging records management, you configure content settings that specify how long to retain messages in specified e-mail folders in user mailboxes. You can apply content settings to the default e-mail folders or to managed custom folders that you create in user mailboxes. You then can create policies that apply the content settings for a folder or group of folders to specified users.

Message Management Options When you configure content settings, you have two options for configuring how messages are managed:

• You can configure retention policies, which enable you to define how long content will remain in users’ mailboxes. You can configure these policies by content age and message type, such as voice mail or appointments, and these policies can apply to any default folders or custom folders in users’ mailboxes.

• You can configure settings to ensure copies of all messages in the specified folder are sent to another recipient. The recipient must exist in the global address list (GAL) but can be at any location with an SMTP e-mail address, including another Exchange Server mailbox or Microsoft Windows® SharePoint® Services document library. Data that is sent to such a repository is labeled to preserve its classification information.


User Interaction with Messaging Records Management One goal for messaging records management is to make managing e-mail messages easy for users. All users have to do to manage messaging records is move e-mail messages from their Inbox to the appropriate folders. For example, users might be working on a special project that requires that all e-mail messages related to the project be stored for a set period. You can create a managed custom folder in the user Inbox specifically for that project. When users move messages into the appropriate folder, the messaging records management policies are applied automatically. Messages also can be sorted into the appropriate folder by using Outlook rules.

You also can apply content settings to default folders in a user mailbox. In this case, no user interaction is necessary to apply the settings to the folders.


Process for Deploying Messaging Records Management

To implement messaging records management, you must complete the following steps:

1. Specify the folders to which you want to apply messaging records management. You can apply managed content settings to default folders in user mailboxes, or you can create managed custom folders in user mailboxes.

2. Specify the managed content settings for selected folders. When you configure content settings, you can configure options for the message types to manage, how long the messages in the folder are retained, and what action to take when the message expires. You also can configure journaling settings that will save a copy of all messages in the folder.

3. Create a managed folder mailbox policy. You can use mailbox policies to group multiple managed folders.

4. Apply the managed folder mailbox policy to users’ mailboxes. By default, no managed folder mailbox policies are created or applied to user mailboxes.

5. Schedule the managed folder assistant to apply the changes to users’ mailboxes. The managed folder assistant creates managed folders in users’ mailboxes and applies managed content settings to them. By default, the managed folder assistant will never run.


Demonstration: How to Implement Managed Custom Folders and Content Settings

The first step in implementing messaging records management is to choose which folders to manage. You can apply the policies to the default mailbox folders located in all mailboxes, or you can create new managed e-mail folders. To apply retention settings to mailbox folders, you must configure content settings.

Discussion Questions After the instructor demonstration, answer the following questions:

Q: Do you think you will implement managed custom folders? Does your organization have a requirement for managed custom folders?

A: Answers will vary. Many organizations have projects that have message-retention requirements, and using managed custom folders with managed custom settings provides a way to manage content.


Q: Does your organization have a requirement for using managed content settings for default mailbox folders?

A: Answers will vary. With managed content settings, you can manage the user mailbox contents. Some organizations may choose this option to delete messages in the Deleted Items and Sent Items folders, as these folders often account for a large percentage of user mailboxes. Organizations also could apply content settings to the entire mailbox to encourage users to move messages into managed custom folders.

Q: What issues does your organization face regarding implementing content settings?

A: Answers will vary. User resistance occurs with almost any change to the user environment. In particular, users are likely to resist content settings that delete messages from their mailboxes. Before implementing any content settings, ensure that you have management support and that users are educated about the need for the policy.

Note: You can see a detailed list of the demonstration steps for this module on the Student Material CD. Refer to the demonstration steps after class or during the lab if needed.


Demonstration: How to Configure Message Mailbox Policies

After you configure the managed custom e-mail folders and content settings, the next step is to configure managed folder mailbox policies. You can assign one or more managed folders, with associated content settings, to a policy so that the settings for multiple folders can be assigned to a user mailbox. After configuring the managed folder mailbox policy, you must modify the schedule for the messaging records management enforcement process.

Discussion Questions After viewing the instructor demonstration, answer the following questions:

Q: What groups in your organization do you think will require messaging records management policies?

A: Answers will vary. Because these policies are essentially just groupings of managed folders with corresponding content settings, you can create as many policies as your organization requires.

Q: What kind of unique policies will your organization’s groups require?

A: Answers will vary. Because these policies arrange managed folders with corresponding content settings, you can create as many unique policies as required. However, each managed folder can have only one content setting. Therefore, if you assign a folder to a policy, all users that the policy affects will have the same content settings.


Recommendations for Implementing Messaging Records Management

By implementing messaging records management, you can significantly modify how messages are retained or deleted in user mailboxes. As with any other significant change, you need to plan and test this implementation carefully to ensure that the organization’s requirements are met.

Recommendations for Configuring Managed E-Mail Folders and Content Settings When configuring managed e-mail folders and content settings, consider the following recommendations:

• Consider using content settings to manage mailbox size limits. For example, you can configure a policy that deletes messages in the Deleted Items folder or the Sent Items folder after a specified time.

• When creating managed e-mail folders, use meaningful names and descriptions. Users should be able to tell, at a glance, what a particular folder is for and the retention period assigned to it.

• Plan managed content settings carefully. You can apply only one content setting to a specific folder, so you cannot apply different content settings for different groups. If you create a content setting for a specific user group, the same settings are applied to all policies that include that folder.


Note: You can apply multiple content settings to a managed folder, but only if the content settings apply to different message types. For example, you can configure a content setting that applies to messages and another that applies to calendar items on the same folder.

Recommendations for Configuring Policies When configuring managed folder policies, consider the following recommendations:

• In most cases, you should associate a policy with a group of users that need the same set of managed e-mail folders. Policies can include many different managed folders, and the same managed folders can be applied to different policies. You can address the unique managed folder requirements for each group that has a policy.

• Consider running the managed folder assistant during nonbusiness hours. Running the process in a large organization can consume significant server resources.

Recommendations for Formulating a User Communication Plan When planning a communication plan for users, consider the following recommendations:

• Users must move messages into the managed e-mail folders for the content settings to apply to the managed e-mail folders. This means that you must provide user training to educate them on why they need to move messages into the folders. You also may need to provide training on how to configure Outlook rules to move messages into the correct folders automatically.

• You may need to configure the policies so that deleted messages are copied to another location, such as a document library on a Microsoft Windows SharePoint Services site. You should also provide training for users so that they can search the document library to access archived e-mail. A document library is a list on a SharePoint site that has a document or other file, such as a message attached to each record. The document library can be indexed and searched using a Web browser. Expect some user resistance to implementation of messaging records policies, especially if the policies are configured to delete messages from user mailboxes.


Lesson 3: Implementing Transport and Journaling Rules

Another option for using messaging policies is to apply transport rules to messages as they are sent from one user to another. By implementing transport rules, you can apply messaging policies and ensure that all e-mail messages sent within the organization or to external recipients meet your organization’s compliance requirements. You also can configure journaling policies so that messages sent or received by specified recipients are copied to an archive location automatically.


• Describe what transport rules are. • Explain the process for configuring Hub Transport rule components. • Configure Hub Transport rules. • Explain how Exchange Server 2007 journaling works. • Explain the process for configuring message journaling. • Configure message journaling rules. • Apply recommendations for implementing transport and journaling rules.


What Are Transport Rules?

Transport rules are applied to messages as they pass through an Edge Transport server role or a Hub Transport server role. Transport rules are applied by the Transport Rule agent on a Hub Transport server role and by the Edge Rule agent on an Edge Transport server role. Transport rules restrict message flow or modification of message contents when messages are in transit. By using transport rules, you can:

• Prevent specified users from sending or receiving e-mail from other specified users. • Prevent inappropriate content from entering or leaving the organization. • Apply restrictions based on message classifications to restrict the flow of confidential

organization information. • Track or journal messages sent to, or from, specific individuals. • Redirect incoming and outgoing messages for inspection before delivery. • Apply disclaimers to messages as they pass through the organization.


Transport Rules on Hub Transport Servers Transport rules configured on a Hub Transport server are applied on all other Hub Transport servers in the Exchange Server 2007 organization. The transport rules configured on one Hub Transport server role are stored in the Configuration container in the Active Directory® directory service. This information is replicated throughout the Active Directory forest so that it is accessible to all other Hub Transport servers. This means that the same transport rules are applied to all e-mail messages that are sent or received in the organization.

Transport Rules on Edge Transport Servers Transport rules configured on an Edge Transport server are applied only to e-mail messages that pass through that specific Edge Transport server role. The transport rules are stored in Active Directory Application Mode (ADAM) and are not replicated to other Edge Transport server roles. Therefore, you can configure Edge Transport servers to apply distinct transport rules depending on the e-mail messaging traffic that they manage.

If you have more than one Edge Transport server role, and you want to apply a consistent set of rules across all Edge Transport servers, you must either configure each server manually or export the transport rules from one server and import them into all other Edge Transport servers.

Note: Although the process for creating transport rules on Hub Transport servers and Edge Transport servers is similar, the options available when creating the rules are not identical. For example, when configuring the recipients to whom a rule will apply on a Hub Transport server role, you can configure specific recipients based on the GAL. On the Edge Transport server role, you can configure recipients based on text patterns in the SMTP addresses rather than specific GAL recipients.


Process for Configuring Hub Transport Rule Components

All transport rules, whether applied on the Hub Transport server role or the Edge Transport server role, have a similar configuration.

Transport Rule Components When you configure transport rules, you need to configure the following components:

• Conditions. Transport rule conditions indicate which e-mail message attributes, headers, recipients, senders, or other parts of the message are used to identify the e-mail messages to which a transport rule action should be applied. If the data in the section of the e-mail message that the condition is inspecting matches the condition’s value, the rule is applied if the condition does not match an exception. You can configure multiple conditions on a transport rule to narrow the rule’s scope so that it applies actions only to messages that have very specific criteria. You also can decide not to apply any conditions, which means that the transport rule then applies to all messages. There is an unlimited number of conditions that you can apply to a single transport rule.

Note: If you configure multiple conditions on the same transport rule, all the conditions must be met for the transport rule to apply the configured action to a particular e-mail message. When you specify multiple values on a single condition, if one or more of the values are matched, the condition is satisfied.


• Actions. Actions are applied to e-mail messages that match the conditions and for which no exceptions are present. Each action affects e-mail messages in a different way, such as redirecting the e-mail message to another address or dropping the message.

• Exceptions. Exceptions determine which e-mail messages to exclude from having an action applied. Transport rule exceptions are based on the same predicates that are used to create transport rule conditions. Transport rule exceptions override conditions and prevent a transport rule action from being applied to an e-mail message, even if the message matches all configured transport rule conditions. You can configure multiple exceptions on a transport rule to expand the criteria for identifying e-mail messages to which a transport rule action should not be applied.

Note: If you configure multiple exceptions on the same transport rule, only one exception must be matched for the transport rule action to be excluded from being applied to an e-mail message. When you specify multiple values on a single exception, if one or more of the values are matched, the exception is satisfied.


Demonstration: How to Configure Hub Transport Rules

You can configure transport rules by using either the Exchange Management Console or the Exchange Management Shell. If you are using the Exchange Management Console on a Hub Transport server role, access the Hub Transport container in the Organization Configuration work area.

To configure transport rules using the Exchange Management Shell, run the following cmdlets:

• The Get-TransportRule, New-TransportRule, Remove-TransportRule, Set-TransportRule, Enable-TransportRule, and Disable-TransportRule cmdlets create, remove, and configure transport rules.

• The Get-TransportRuleAction cmdlet retrieves a list of all available transport rule actions.

• The Get-TransportRulePredicate cmdlet retrieves a list of all available rule predicates.

• The Import-TransportRuleCollection and Export-TransportRuleCollection cmdlets import and export a set of transport rules configured on a Hub Transport server or Edge Transport server.


Caution: Importing a transport rule collection overwrites all pre-existing transport rules. On Hub Transport servers, the command overwrites all transport rules that are configured in the Exchange Server 2007 organization, except for transport rules on Edge Transport servers. Make sure that you have a back up of your current transport rule collection before you import and overwrite your current transport rules.

Discussion Questions After viewing the instructor demonstration, answer the following:

Q: What transport policies will you need to implement in your organization?

A: Answers will vary. Transport rules provide many different options to restrict message flow and modify messages as they pass through the Hub Transport servers.


How Exchange Server 2007 Journaling Works

Journaling enables you to redirect all e-mail messages to a collection mailbox when they are sent to, or from, specified mailboxes, contacts, or distribution-group members. The messages that meet the journaling criteria are sent to the collection mailbox as a journal report, which includes detailed information, including to whom the message was addressed, who the message was from, and the message’s subject.

How Journaling Works When you create a journal rule, the Journaling agent, which runs only on Hub Transport servers, monitors all messages sent through the server. When a message matches the journal rule criteria, a copy of the message is forwarded to a journal mailbox. The journal mailbox can be configured using any Exchange recipient. The recipient address can refer to another mailbox in the Exchange Server organization, a document library on a Microsoft Windows SharePoint Services site, or an address used by other third-party message-archival solutions.

Journal rules are based on message recipients and message senders. When you configure a journal rule, you can choose any Exchange recipient including mailbox users, contacts, or distribution groups. A copy of all messages sent from, or received by, the recipient are sent to the journal mailbox.


Note: You can also configure message journaling on each mailbox database. When you assign a journal recipient for a mailbox database, all messages sent or received by recipients with mailboxes in the database also are sent to the journal recipient.

Journal Rule Scope You also can configure the following three journal rule scopes that limit which messages are sent to the journal mailbox.

Scope Description

Internal Rules with this scope process messages that are sent and received by recipients inside the Exchange Server 2007 organization.

External Rules with this scope process messages that are sent to recipients or from senders outside the Exchange Server 2007 organization.

Global Rules with this scope process all messages that pass through a computer that has the Hub Transport server role installed. These include messages that may have already been processed by journal rules in the Internal and External scopes.

Journal Rule Replication Journal rules configured on a Hub Transport server role are applied to the entire Exchange Server 2007 organization. When you create a journal rule on a Hub Transport server role, it is stored in the Configuration partition in Active Directory. Any changes replicate to all Active Directory servers in the organization. All the Hub Transport servers in the organization then read the new configuration from the Active Directory servers and apply the new or modified journal rules to messages that pass through the Hub Transport server role.

Journal Reports When a message meets the journal rule criteria, a journal report is sent to the SMTP address listed on the rule. The journal report is a new e-mail message with the original message included, unaltered, as an attachment.

The information that is contained in the journal report is organized so that every value in each header field has its own line. The Journaling agent captures as much detail as possible about the original message. This information is important in determining the message’s intent, its recipients, and its senders. For example, whether the recipients identified on the message are directly addressed in the To field or the Cc field, or are included in a distribution list may determine how the recipient is involved in the discussion occurring in the message.


Demonstration: How to Configure Message Journaling Rules

You can configure journaling rules by using either the Exchange Management Console or the Exchange Management Shell. If you are using the Exchange Management Console, access the Hub Transport container in the Organization Configuration work area.

To configure transport rules by using the Exchange Management Shell, use the following commands:

• Enable-JournalRule • Disable-JournalRule • Get-JournalRule • Set-JournalRule • New-JournalRule • Remove-JournalRule


Journal Reports The following table lists the information that can be included in the journal report..

Field name Description

Sender Displays the SMTP address of the sender.

On-Behalf-Of Displays the SMTP address of the mailbox from which the message appears if the Send On Behalf Of feature is specified by the sender.

Subject Displays the Multipurpose Internet Mail Extensions (MIME) subject header value.

Message-ID Displays the internal Exchange Message-ID.

To Displays the SMTP address of a recipient that is included in the message envelope and in the To header field of the message. The recipient address can be included directly by the sender, indirectly through distribution list expansion, or if the message was forwarded to the recipient by another mailbox. To indicate whether the message went through distribution-list expansion or was forwarded, the To field might also contain one Expanded field or one Forwarded field, separated with commas. For example, if a message is sent to the Sales distribution group, and David is a member of the Sales group, the To field will include an entry like [email protected], Expanded: sales@ adatum.com.

Cc Displays the recipient’s SMTP address included in the Cc field.

Bcc Displays the recipient’s SMTP address included in the Bcc field.

Expanded Displayed as a subfield of the To, Cc, or Bcc fields, and displays the address of the distribution list that contains either the recipient that is specified in the To, Cc, or Bcc field or the nested distribution lists that contain the specified recipient.

Forwarded Displayed as a subfield of the To, Cc, or Bcc fields and displays the e-mail address of a mailbox that is configured to forward e-mail messages to the account that is specified in the To, Cc, or Bcc field.

Recipient Displays the SMTP address of a recipient that is included on an e-mail message that originated outside the Exchange Server 2007 organization.


Discussion Questions After you have viewed the instructor demonstration, answer the following questions:

Q: Do you have any archiving or journaling requirements in your organization?

A: Answers will vary. Many organizations have requirements for archiving certain messages. For example, an organization may require that messages with business-transaction information be archived for several years.

Q: How are you currently meeting these requirements?

A: Most organizations that have implemented an archiving solution do so using third-party applications. Previous versions of Exchange Server only enabled journaling at the mailbox store level, where all messages sent and received from that store were archived.

If students have implemented a third-party archiving tool, ask them to describe how the archiving tools works and what types of functionality the tool provides.

Q: What are the advantages and disadvantages of using the Exchange Server 2007 message journaling feature?

A: Answers will vary depending on what tool the organization has deployed. Exchange Server 2007 journaling has one advantage – it enables you to specify any archival location for messages, and you can filter journaling based on recipients rather than at a database level. However, Exchange Server 2007 does not provide any automated tools for managing the journal mailbox, so you will need to implement a manual management process.


Recommendations for Implementing Transport and Journaling Rules

Transport and journaling rules provide powerful options for implementing policy compliance measures. You need to plan and test this implementation carefully to ensure that the organization’s requirements are met.

Recommendations for Configuring Transport and Journaling Rules When configuring transport rules, consider the following recommendations:

Recommendation Reason

Document transport rules as you create or modify them.

You can configure transport rules to perform many different actions based on many conditions and exceptions. Without careful planning and thorough documentation, the transport rule configuration could become difficult to manage and may result in conflicting or unexpected actions being applied.

If you have multiple sites in your organization, consider the impact of the transport and journal rules on network bandwidth.

If you configure a transport rule to forward messages to a location on a different site, or if the journal location is on an alternate site, you may significantly increase the bandwidth usage between sites.


Recommendations for Managing Message Journal Archives Consider the following recommendations when planning how to manage message journal archives.

Recommendation Reason

Decide how to restrict access to message journal archives.

You can use any Exchange recipient as the destination for the message journal reports. By using a mail-enabled contact, you can redirect the journal reports to a location, such as a Windows SharePoint Services document library outside the Exchange Server organization. The journal reports might contain sensitive information that may be part of legal proceedings or might be subject to regulatory requirements. You should create policies that govern who can access the journal reports in your organization, limiting access to only those individuals who have a direct need to access them.

Manage the journal mailbox data.

The amount of data stored in the journal location will expand rapidly if you are journaling many messages, so you will need to implement a process to manage the mailboxes or alternate location. If you are using Exchange Server mailboxes as the journal location, consider implementing a regular back-up schedule for the mailboxes, and then using a messaging records management policy to manage the mailbox size.


Lab: Implementing Messaging Policies

After completing this lab, you will be able to:

• Configure messaging records management. • Configure transport and journaling rules.

Estimated time to complete this lab: 45 minutes.


• Ensure that the 5049A-CAI-DC1 virtual machine is started. • Log on to 5049A-CAI-DC1 as Adatum\Administrator with a password of

Pa$$w0rd.


Lab Scenario A. Datum Corporation is completing its Exchange Server 2007 deployment and is getting ready to implement messaging policies to manage e-mail messages in transit and in user mailboxes. The project sponsors have developed the following requirements for messaging policies:

• For all users, all messages in the default mailbox folders must be deleted after 90 days.

• All members of the Finance department require a custom folder in their mailbox that will contain confidential messages related to finance. The messages in these custom folders must be retained for 180 days, after which the messages must be marked as expired in Outlook.

• All messages sent to users on the Internet must have a disclaimer added that the legal department has approved.

• Messages with a “Company Confidential” classification must not be sent to the Internet.

• A copy of every message sent or received by Finance department members must be sent to a mailbox for journaling.


Exercise 1: Configuring Messaging Records Management In this exercise, you will create a managed custom folder and configure managed content settings. You then will create managed content policies and assign the policies to users as required.


1. Create a managed custom mailbox folder named Finance Confidential.

• Create a new managed custom folder with the following attributes: • Name: Finance Confidential. • Comment: All confidential items related to Finance

should be posted here. Messages in this folder are valid for 180 days.

• Do not allow users to minimize the comment in Outlook.

2. Configure content settings for the Finance Confidential folder so that all messages will be retained for 180 days, after which the messages must be marked as expired in Outlook.

• Create a new managed content settings object with the following attributes: • Name: Finance Confidential Content Settings. • Message type: All Mailbox Content. • Messages are retained for 180 days after they have been

moved to the managed folder. • After the retention period ends, the messages should be

marked as past retention limit in Outlook.

3. Configure content settings for all mailbox folders so that messages will be deleted after 90 days.

• On CAI-DC1, in the Exchange Management Console, configure a new mailbox content setting object that will apply to all folders in the default mailbox with the following attributes: • Name: Mailbox Content Settings. • Message type: All Mailbox Content. • Messages will be retained for 90 days. • Retention period starts when messages are delivered. • Delete messages, and allow recovery.

4. Configure a managed folder mailbox policy that will apply to all users.

• Create a new managed folder mailbox policy with this attribute: Name: Default Policy – All Users

• Associate the Entire Mailbox with the policy • Use the following command to assign the policy to all users:

Get-Mailbox | Set-Mailbox –ManagedFolderMailboxPolicy ‘Default Policy – All Users’

5. Configure a managed folder mailbox policy that will apply to the Finance department.

• Create a new managed folder mailbox policy with the following attributes: • Name: Finance Department Policy. • Associate the Entire Mailbox and the Finance Confidential

mailbox to this policy. • Use the following command to assign the new policy to the

users in the Finance organizational unit (OU): Get-Mailbox | where-object {$_.distinguishedname -ilike ‘*ou=finance,dc=adatum,dc=com’} | Set-Mailbox –ManagedFolderMailboxPolicy ‘Finance Department Policy’



6. Start the managed folder assistant process.

• Create a custom schedule for the managed folder assistant process to run from Monday 6:00 A.M. to Friday 6:00 P.M., and then click OK twice.

• Stop, and then start the Microsoft Exchange Mailbox Assistants service.

7. Confirm that the managed custom folder is created for Finance department users.

• In the Exchange Management Console, confirm that the managed folder mailbox policy is assigned to Katie Jordan.

• On CAI-DC1, open Internet Explorer and connect to https://CAI-DC1/owa.

• Log on as Adatum\Katie with the password of Pa$$w0rd. Confirm that the Finance Confidential folder has been created in Katie’s mailbox.


To prepare for the next exercise Before you begin the next exercise, you must:

• Start the 5049A-CAI-SRV1 and the 5049A-CAI-EDGE1 virtual machines. • Log on to the virtual machines as Administrator with a password of Pa$$w0rd. • Complete the following steps to implement an Edge Subscription between the Hub

Transport server and the Edge Transport server. • On CAI-EDGE1, click Start, point to All Programs, Microsoft Exchange


• At the prompt, type the following and then press ENTER: D:\Mod03\Labfiles\EdgeScript.ps1 Press ENTER at the confirmation.

• At the prompt, type the following and then press ENTER: D:\Mod03\Labfiles\CopyEdgeScript.cmd

• Close the Exchange Management Shell.

• On CAI-DC1, click Start, point to All Programs, Microsoft Exchange Server 2007, and then click Exchange Management Shell.

• At the prompt, type the following and then press ENTER: C:\ImportEdgeSub.ps1

• Close the Exchange Management Shell.


Exercise 2: Configuring Transport and Journaling Rules In this exercise, you will configure transport and journaling rules to meet the company requirements.


1. Create a transport rule that will add a disclaimer to all messages sent over the Internet.

• On CAI-DC1, create a new transport rule with the following settings: • Name: Internet E-Mail Disclaimer • Conditions: Sent to users outside the corporation • Actions: Add a disclaimer • Disclaimer text: This e-mail is intended solely for the use of

the individual to whom it is addressed

2. Create a transport rule that will block all messages with a classification of Company Confidential from being sent to the Internet.

• Create a new transport rule with the following settings: • Name: Company Confidential Rule • Condition: Sent to users outside the corporation • Condition: Marked with classification

ExCompanyConfidential • Actions: send bounce message to sender with enhanced

status code • Bounce message text: Company confidential e-mail

messages cannot be sent to the Internet

3. Create a mailbox for journaling messages for the Finance department.

• Create a new recipient with the following attributes: • First name: Finance Journal Mailbox • User Logon name (User Principal Name):

FinanceJournalMailbox • Password: Pa$$w0rd • Confirm password: Pa$$w0rd

4. Create a journal rule that will save a copy of all messages sent to and from members of the Finance department.

• Create a new journal rule with the following attributes: • Rule name: Finance Department Message Journaling • Journal mailbox: FinanceJournalMailbox • Scope: Global • Recipient: Finance distribution group



5. Test the transport and journaling rules.

• On CAI-DC1, open Internet Explorer and go to https://CAI-DC1/owa. • Log on as Adatum\Beth, send a new message to

[email protected]. • Create another message to [email protected], mark it with the

Company Confidential classification, and then send the message. • On CAI-SRV1, open Outlook Express. Confirm that the first message

from Beth arrived and that the disclaimer has been added to the message. Confirm that the second message did not arrive.

• In OWA, confirm that Beth received a message from the postmaster account stating that the message could not be delivered.

• In OWA, send a new message to Qin Hong. Qin is a member of the Finance distribution group.

• On CAI-DC1, open Microsoft Internet Explorer, and then connect to https://CAI-DC1/owa.

• Log on as [email protected] with the password Pa$$w0rd. Confirm that a journal report for the message sent from Beth is in the mailbox.


Lab Shutdown 1. On the host computer, click Start, point to All Programs, point to Microsoft


2. Under Navigation, click Master Status. For each virtual machine that is running, click the Virtual Machine Name, and in the context menu, click Turn off Virtual Machine and Discard Undo Disks. Click OK.


Course Evaluation

Your evaluation of this course will help Microsoft understand the quality of your learning experience.

Please work with your training provider to access the course evaluation form.

Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.

IndexNumerics .edb files, excluding from antivirus scans, 1-6 .log files, excluding from antivirus scans, 1-6

A Active Directory

mode for directory-enabled applications. See ADAM synchronizing with Edge Transport servers. See

EdgeSync Active Directory Application Mode (ADAM). See

ADAM ADAM

database storage location, 2-9 defined, 2-8 EdgeSync. See EdgeSync information stored by, 2-9 replicating Active Directory information to. See

EdgeSync transport rules in, 3-20. See also also transport rules

administrative permissions on Edge Transport servers, 2-6

administrator account security issues, 1-50 antivirus scan engines, 1-47 antivirus software. See also also viruses

client-side, 1-6 defense-in-depth approach, 1-50 in Exchange Server 2007, 1-43 to 1-44 Internet edge-based, 1-6 selecting, 1-42 server-side, 1-6 updating, 1-50

antivirus stamping, 1-44, 1-48 archiving

e-mail messages, securely. See Exchange Hosted Archive

journal reports, 3-31 attachments, e-mail, 1-45 to 1-46 authentication, 2-37

for IPSec, 2-47 for SMTP Receive connectors, 2-43 to 2-44 for SMTP Send connectors, 2-44

authorization, 2-37

B block lists. See IP Block lists; real-time block lists

(RBLs) Blocked Senders List, aggregating to Exchange Server,

1-28 to 1-29 blocking e-mail attachments, 1-45 to 1-46 blocking IP addresses, 1-14. See also also IP Block lists

C CAs (certification authority)

commercial vs. private, 2-40 defined, 2-39 third-party, installing, 2-54

certificate revocation list (CRL), 2-39 certificate template, 2-39 certificates. See digital certificates certification authority (CA). See CAs (certification

authority) cloning Edge Transport servers. See edge cloning collection mailboxes. See journaling compliance. See messaging policies connection filtering

allow lists. See IP Allow lists block lists. See IP Block lists configuring, 1-34 to 1-36 criteria for, 1-30 to 1-31 defined, 1-14 enabling, 1-14 run order of, 1-14 with real-time block lists (RBL), 1-17

content filtering configuring, 1-25, 1-37 to 1-38 defined, 1-24 exceptions, allowing, 1-25 process for, 1-31 to 1-32 quarantine mailbox, configuring, 1-25 spam confidence level assignment, 1-24 to 1-25

D defense-in-depth approach, 1-5 to 1-6

Exchange Hosted Services and. See Exchange Hosted Services

for antivirus software, 1-50

I-2 Index

deploying Edge Transport servers, 2-5 to 2-7 messaging records management, 3-12

digital certificates deploying to Edge Transport servers, 2-39 from third-party CAs, installing, 2-54 public and private keys in, 2-40 self-signed, issued to Edge Transport servers, 2-42

digitally signing e-mail messages. See Secure/Multipurpose Internet Mail Extensions (S/MIME)

directory services. See ADAM document libraries, 3-17 Domain Security

configuring, 2-42, 2-54 to 2-55 defined, 2-41 inbound, configuring, 2-42 outbound, configuring, 2-42

E edge cloning

configuring, 2-16 defined, 2-15 uses for, 2-15

Edge Subscriptions, 1-33 to 1-34 setting up, 1-51 to 1-52

edge transport rules, 3-7 Edge Transport Rules wizard, 2-6 Edge Transport servers, 1-6

Address Rewriting agent, configuring, 3-8 administrative permissions, configuring, 2-6 agents for, 1-47 anti-spam configuration, 1-33 to 1-34 attachment blocking, 1-45 to 1-46 cloning. See edge cloning configuration, 2-3 to 2-4 configuration information, exporting, 2-16 configuration, reviewing, 2-18 to 2-19 defined, 2-2 digital certificates on. See digital certificates firewall configuration, 2-4 to 2-5 implementing, 2-5 to 2-7 infrastructure requirements, 2-3 to 2-4 IP Allow/Block lists, 1-15 remote administration, 2-7 replicating Active Directory information to. See

EdgeSync securing, 2-5

self-signed certificate issued to, 2-42 SMTP connectors, creating, 2-6 spam filtering process, 1-30 to 1-32 synchronizing with Active Directory. See EdgeSync transport rules on, 3-20. See also also transport rules

EdgeConnectedBridgeheads (ECBHs), 2-13 EdgeSync

configuring, 2-21 to 2-22 defined, 2-10 implementing, 2-13 information replicated by, 2-11 mail flow with, 2-29 ports used by, 2-11 provisioning Edge Transport servers for, 2-13 security concerns, 2-14 synchronization frequency, 2-11

e-mail confidentiality issues. See messaging policies enabling, 2-27 folders, managed by policies. See managed folders junk. See spam message transfer, default, 2-29 messaging policies. See messaging policies security, and S/MIME, 2-48 to 2-49 SMTP. See SMTP e-mail testing flow of, 2-22

e-mail attachment filtering, 1-45 to 1-46 e-mail messages

archiving securely. See Exchange Hosted Archive collecting in single mailbox. See journaling digital signing and encryption. See

Secure/Multipurpose Internet Mail Extensions (S/MIME)

disclaimer text, adding, 3-8 encrypting. See encrypting e-mail messages filtering. See filtering e-mail messages managing. See messaging records management retention policies, 3-10, 3-34. See also also

messaging policies rules, applying. See messaging policies security. See messaging security services. See messaging services

encrypting e-mail messages, 1-8, 1-10. See also also Exchange Hosted Encryption; also Secure/Multipurpose Internet Mail Extensions (S/MIME) with Identity-Based Encryption (IBE), 1-8 with S/MIME, 2-49

Index I-3

encryption IPSec. See Internet Protocol security (IPSec) spam and, 1-4

Exchange Hosted Archive, 1-7 Exchange Hosted Continuity, 1-8 Exchange Hosted Encryption, 1-8 Exchange Hosted Filtering, 1-8 Exchange Hosted Services

as defense-in-depth layer, 1-7 inbound message handling, 1-9 outbound message handling, 1-10 services offered by, 1-7 to 1-8 subscription model for, 1-9

Exchange Server antivirus software, 1-6, 1-43 to 1-44 database files, excluding from antivirus scans, 1-6 Forefront Security. See Forefront Security

F filtering e-mail attachments, 1-45 to 1-46 filtering e-mail messages, 1-8

by content. See content filtering by recipient. See recipient filtering by sender. See sender filtering by sender ID. See Sender ID filtering by sender reputation. See sender reputation filtering by SMTP address. See connection filtering bypassing, 1-32 configuring, 1-55 to 1-56 optimal solutions for, 1-12 to 1-13 process in Exchange Server 2007, 1-30 to 1-32 reviewing results of, 1-54

firewalls, configuring for Edge Transport servers, 2-4 to 2-5

folders managed by policies. See managed folders Forefront Security

features of, 1-47 to 1-48 requirements for, 1-48

Forefront Server Security Management Console, 1-48

G Group Policy for IPSec, 2-46 to 2-47

H HELO/EHLO statements and sender reputation, 1-27 Hub Transport rules, 3-7

Hub Transport servers agents for, 1-47 antivirus software, 1-6 for replicating information, 2-13 spam filters, 1-6 transport rules on, 3-20. See also also transport rules

I Identity-Based Encryption (IBE), 1-8 Internet mail. See e-mail Internet Protocol security (IPSec), 2-38

authentication options, 2-47 functioning of, 2-46 policies, 2-46 to 2-47 uses for, 2-46 when to use, 2-47

IP Allow lists, 1-15 IP Block lists, 1-15

exceptions, configuring, 1-18 expiration times, 1-15 real-time. See real-time block lists (RBLs)

IPSec. See Internet Protocol security (IPSec)

J journal reports, 3-26, 3-28

archiving, 3-31 journal rules, 3-25

configuring, 3-27, 3-30 creating, 3-36 replicating, 3-26 scopes, 3-26

journaling defined, 3-25 functioning of, 3-25

journaling mailbox, 3-36 journaling policies, 3-6

configuring, 3-8 junk e-mail. See spam

L LDAP ports for EdgeSync, 2-11 legislation regarding information management, 3-3 to

3-4

I-4 Index

M mail. See e-mail Mailbox servers

agents for, 1-47 antivirus software, 1-6

mailboxes, collection. See journaling managed folders

assistant, running, 3-35 assistant, when to run, 3-17 configuring, 3-15 creating, 3-34 naming, 3-16 policies, creating, 3-34 size limits, implementing, 3-16

messaging policies. See also also journaling policies; also transport policies content settings, 3-10, 3-34 defined, 3-5 for managed folders, creating, 3-34 for user Inboxes. See messaging records

management policies implementing, 3-7 to 3-8

messaging records management defined, 3-10 deploying, 3-12 folders managed by. See managed folders recommendations for, 3-16 training users, 3-17 user interaction with, 3-11

messaging records management policies, 3-6, 3-8 recommendations for, 3-17 user resistance to, 3-17

messaging security hosting outside organization. See Exchange Hosted

Services user education on, 1-49

messaging services, maintaining. See Exchange Hosted Continuity

Microsoft Exchange Hosted Services. See Exchange Hosted Services

Microsoft Exchange Server 2007. See Exchange Server

N New-EdgeSubscription cmdlet, 2-13

O open proxy servers, effect on sender reputation, 1-27 open relays, 1-4

P phishing messages, 1-4. See also also spam PKI (public key infrastructure)

components of, 2-39 to 2-40 defined, 2-39

public key infrastructure (PKI). See PKI (public key infrastructure)

Q quarantine mailbox, 1-25

R real-time block lists (RBLs)

connection filtering with, 1-17 exceptions, configuring, 1-18 implementing, 1-16 limitations of, 1-16 to 1-17 provider responses, 1-17 spam evasion of, 1-17

Receive connectors. See SMTP Receive connectors recipient filtering

process for, 1-31 when to use, 1-19

remote administration of Edge Transport servers, 2-7 Remote Desktop for Edge Transport servers, 2-7 replicating

Edge Transport servers. See edge cloning journal rules, 3-26

reputation, filtering e-mail messages by. See sender reputation filtering

reverse DNS lookup, effect on sender reputation, 1-27 Rights Management Services (RMS) Prelicensing

agent, 3-8

S S/MIME. See Secure/Multipurpose Internet Mail

Extensions (S/MIME) Safe Senders List, aggregating to Exchange Server,

1-28 to 1-29 safelist aggregation, 1-28 to 1-29

configuring, 1-38 to 1-39 Secure/Multipurpose Internet Mail Extensions

(S/MIME), 2-38 defined, 2-48 digital signatures, 2-48 e-mail security and, 2-48 to 2-49 enabling, 2-50 encryption with, 2-49 when to use, 2-49

Index I-5

security. See also also Internet Protocol security (IPSec); also Transport Layer Security (TLS) defense-in-depth model. See defense-in-depth

approach EdgeSync and, 2-14 of SMTP e-mail, 2-37 to 2-38

Security Configuration Wizard (SCW), 2-5 running, 2-19 to 2-21

Send connectors. See SMTP Send connectors sender filtering, 1-19 Sender ID filtering

configuring, 1-36 to 1-37 enabling, 1-21 functioning of, 1-23 process for, 1-31 settings, 1-22

Sender ID Framework, 1-21 Sender Policy Framework (SPF) records, 1-21 to 1-22 sender reputation filtering, 1-26 to 1-27

configuring, 1-36 to 1-37 SmartScreen Content Filter (SSCF), 1-24. See also also

content filtering SMTP addresses, modifying on inbound/outbound

messages, 3-8 SMTP connectors

authentication and authorization for, 2-37 creating, 2-6 default configuration, when to change, 2-30 defined, 2-25 management of, 2-26

SMTP e-mail security, 2-37 to 2-38 SMTP Receive connectors

authentication options, 2-43 to 2-44 configuring multiple, 2-26 default, 2-27 to 2-28 defined, 2-25

SMTP Send connectors authentication options, 2-44 default, 2-28 defined, 2-26

spam defense-in-depth approach for. See defense-in-depth

approach e-mail message filtering for. See filtering e-mail

messages filtering. See filtering e-mail attachments; filtering e-

mail messages filters, on Hub Transport servers, 1-6 types of, 1-4 user education on, 1-6

spoofing, 1-4. See also also spam synchronizing Active Directory and Edge Transport

servers. See EdgeSync

T transport agents, 1-43 Transport Layer Security (TLS), 2-38

certificate requests, generating, 2-42 Domain Security and. See Domain Security requiring, 2-41 with mutual authentication, 2-41

transport policies, 3-5 configuring, 3-7 to 3-8

transport rules actions, 3-22 components of, 3-21 to 3-22 conditions, 3-21 configuring, 3-23, 3-30 creating, 2-6, 3-36 defined, 3-19 disclaimer text, adding with, 3-8 documenting, 3-30 exceptions, 3-22 on Edge Transport servers, 3-20 on Hub Transport servers, 3-20 uses for, 3-19

U unsolicited commercial e-mail. See spam Update SafeList command, 1-29 User Account Control, 1-50

V Virus Scanning API (VSAPI), 1-43 viruses. See also also antivirus software

administrator accounts and, 1-50 defense-in-depth approach for. See defense-in-depth

approach user education on, 1-6, 1-49 vectors for, 1-41

VSAPI (Virus Scanning API), 1-43

Z Zero Download Messenger (ZDM), 1-10

Course 5049A Managing Messaging Security Using Microsoft Exchange Server 2007

Documents

Transcript of Course 5049A Managing Messaging Security Using Microsoft Exchange Server 2007