Enterprise Software Thread, Exchange 2010 with Forefront Protection 2010 for Exchange queries in Technical; Hi all
Don't suppose any of you good goooooooood people happen to use FPE [note, thats not a typo of ...
31st March 2011, 03:26 PM #1
Exchange 2010 with Forefront Protection 2010 for Exchange queries
Don't suppose any of you good goooooooood people happen to use FPE [note, thats not a typo of FEP, its a diff product for those not aware ]?
To save me re-writing the thread I started on the MS forums, i'm being lazy and just copying and pasting it 'ere.
Any ideas (on where i'm being a dense fool) or any thoughts of those that have it set up and come across it or something similar would be most gratefully received
Here's the URL to the MS Thread:
Like other ppl, I have a few questions regarding FP 2010 for Exchange - the SCP -1 issue, integration, backscatter, and more
I seem to be going around and around, reading the same sites, and not actually getting the answers so time to post a thread I think.
Firstly, here's the setup in order, from External to Internal:
- Perimeter Firewall (Enterprise level firewall, that does scan email traffic initially)
- Linux Mail Server - running Postfix - This has some older AV / Spam checks on it, and is the mail server that we were using prior to Exchange. It still exists as we are still in the migration period (although most of the users are migrated) and it handles entries for some other domains - mainly just aliases to the main AD domain (with Exchange). We have got this server set to deliver email to the Exchange HT server in the event that it cant deliver it to this server (not the best setup i know but its a working solution as we progress with the migration of the remaining users)
- Exchange 2010 HT server (we DONT have a Exchange EDGE server at this time) - this is the only server I've configured with FPE at the moment (want to get this correct first before putting FPE on the MBX servers). For info, we have this setup as a seperate server to any of the other Exchange roles (all Exchange servers are Exchange 2010 SP1)
The issues I've run in to at present:
1. No matter what I try, I cant seem to get any email coming into Exchange from External (to exchange) to be flagged as anything other than the following in the message headers:
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
- populating the InternalSMTPServers in Exchange with the IP of the firewall
- populating the InternalSMTPServers in Exchange with the IP of the firewall, and the linux mail server
- leaving the InternalSMTPServers in Exchange empty
- with the above combinations, I've also tried include these IP combinations (and leaving it empty) in the "IP addresses used to identify external addresses" option located in the FPE console > Policy Management > Global Settings > Advanced Options, but hasnt made a difference.
Note: I've not restarted any services after making any of these changes and nothing specifies that you need to do that. I see in the Event Viewer that the configuration has been saved / changed when making these changes at each attempt, plus I cant just start randomly restarting the Exchange / FPE services continuously due to the organisation being very dependant on E-Mmail delivery (i'd have to do it late at night I wager).
The Antimalware side of things and File Filtering works however, as I have entries for these, but nothing seems to work in getting this antispam feature working.
This kind of leads me onto question 2....
2. Do you have to enable or disable anything in Exchange itself in order for the anti spam of FPE to work? How does FPE integrate with Exch in this way?
To explain a bit more, prior to trying FPE, I did attempt some while ago to set up the built in Anti Spam feature in Exchange but when trying to get it to install (using the script) it failed and I never got around to actually getting this resolved. Wondering whether this would have any bearing on it.
After setting up FPE, I've noticed that when I use the Exchange Management Console on the HT server, it has Anti Spam tabs (fonud at Org Configuration > Hub Transport and Server Configuration > Hub Transport), whereas it doesnt show these when using the EMC on any of the other exchange servers.
Is this down to FPE being installed? Does FPE actually install and turn on the native Exchange Anti Spam system and integrate into that, as these tabs and options within dont indicate FPE in any way, so I've no idea now whether they are meant to be used or not
3. Backscatter - I've enabled this and generated the key etc, but other than the Statistics in Server Security Views > Spam Details, I cant find any place showing logs of the messages that have been blocked. Is there some reason for this? The count seems quite high considering i only setup FPE last friday night and while I'm aware the first 24hrs to expect quite a number of them while it trains itself, the number seems to have increased steadily - it tells me 1227 messages have been blocked by the backscatter agent. It was about 400-500ish 24hrs later, but it still seems quite high considering we do have AV / spam / RBL checks in place in the firewall / linux mail server.
4. A side note but i've noticed a few things that I'd love to see in FPE in the future... does anyone know whether the FPE team welcome feedback (other than the surveys) where I could suggest to them some improvements?
Any help on the above would be really welcome, as it seems like a really good comprehensive tool, and most of it is easy enough to work out, but seems to be lacking as far as helping you actually integrate it when you are using different scenario's to what is expected.
IDG Tech News
31st March 2011, 03:58 PM #2
I have this on a corp server and it is possibly one of the best antispam packages I have ever used. The amount of spam that gets through is very near zero, I have not actually heard anyone say that any spam at all has got through.
Your post was quite comprehensive and I'm on my phone so I'll just answer what I can.
The antispam tab that you see in the EMC is to do with this product and is where you enable the spam filtering rules for the transport server. Not sure about your setup but it should still work alright in that environment.
You do need to restart the Information store and hub transport servers for various rules to take effect. It does tell you after you save chances but does so in a little caption box on the form itself which is not very visible.
Not sure about backscatter as I have not configured anything to do with it and just left it at defaults. You can configure additional logging for more information about what is dropped by changing the actions under the configuration for each of the methods of scanning.
Make sure that you specify all the possible internal domains as internal including yourdomain.local or whatever your internal dns is just incase policies trip up anywhere.
Hope that helps a bit, happy to clarify if needed.
31st March 2011, 05:29 PM #3
Cheers for the reply
Usually when I do a thread on any forum , i do try and make it pretty detailed (tho sometimes the brain works faster than my ability to type, or vice versa), although usually its a wasted effort on the MS forums as it either usually ends up with a Mod or someone rewriting what I wrote, proposing it as the answer, and a mod closing it as answered lol Thankfully that doesnt happen here (we hope ), so thought it best to copy it to 'ere too
Your post was quite comprehensive and I'm on my phone so I'll just answer what I can.
The reason i wondered about the anti spam tab's in EMC is that, as an example, in the options in FPE, I have under "Antispam > Configure: Content Filter - SCL Thresholds and Actions" the following settings:
Suspected spam: SCL 5 - 8
Certain Spam: SCL 9
but in the EMC under Org Configuration > Hub Transport > Anti-Spam: Content Filtering and on the Action Tab, I only have Reject ticked at SCP 8 and the others are unticked, which isnt the same as the FPE settings....
so it doesnt seem to be right (unless like you say, it wont sync the settings until i restart the settings, which, to be frank, is utter stupidness
However, yes, I do see that under the "Enable content filtering" tickbox, it says "Note: The Microsoft Exchange Transport service must be restarted for changes to this setting to take effect" so rather than it meaning just that tickbox, it seems like it means the whole of that section. Thanks for the clarity there Microsoft lol Obviously, I'll have to wait until some point tonight to try that one.
Hear ya about the logging.... ive got everything ticked under the logging but nothing mentioning the backscatter. Have found the Get-FseSpamAgentLog Powershell command so i'll have a play with that once things are working.
Only the one domain really is on Exchange mainly, but yeah, i know what you mean and will look at that but it's not a prob at the mo
31st March 2011, 05:49 PM #4
@Nathan - Is email still not flowing into Exchange?
31st March 2011, 06:03 PM #5
Email is flowing into Exchange perfectly thanks
Thats not the problem...
31st March 2011, 06:25 PM #6
@Nathan - I've just read your post on the MSFT forum. Do you feel you dont get the correct feedback from the moderators/support staff?
By ianh64 in forum Windows
Last Post: 5th January 2012, 11:57 AM
By Voodoo in forum Internet Related/Filtering/Firewall
Last Post: 23rd November 2011, 11:28 AM
By Zorba in forum Windows Server 2008 R2
Last Post: 10th January 2011, 09:48 AM
By faza in forum How do you do....it?
Last Post: 19th November 2010, 11:22 AM
By RabbieBurns in forum Windows Server 2008 R2
Last Post: 11th May 2010, 03:51 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread