Saturday, April 7, 2012

Forefront Securit features for Exchange Servers

Forefront Security features for Exchange Server
Different agents for Edge Transport servers, Hub Transport servers, and Mailbox
servers. On Edge Transport servers and Hub Transport servers, Forefront Security for
Exchange Server uses an Exchange Server 2007 Transport agent to scan messages in
transit. On Mailbox servers, it uses a new Forefront VSAPI.dll to scan the mailbox
and public folder databases.
Configuring Edge Transport Servers

Firewall Firewall rule Explanation

External Allow port 25 from all external IP
addresses to the Edge Transport
server.

Required for Simple Mail Transfer
Protocol (SMTP) hosts on the Internet to
send e-mail.

External Allow port 25 to all external IP
addresses from the Edge Transport
server.

Required for the Edge Transport server
to send e-mail to SMTP hosts on the
Internet.

External Allow port 53 to all external IP
addresses from the Edge Transport
server.

Required for the Edge Transport server
to resolve DNS names on the Internet.

Internal Allow port 25 from the Edge Transport
server to specified Hub Transport
servers.

Required for the Edge Transport server
to send inbound SMTP e-mail to Hub
Transport servers.

Internal Allow port 25 from specified Hub
Transport servers to the Edge
Transport server.

Required for the Hub Transport servers
to send e-mail to the Edge Transport
server.

Internal Allow port 50636 Secure Lightweight
Directory Access Protocol (LDAPS)
from specified Hub Transport servers to
the Edge Transport server.

Required for the Hub Transport server to
replicate information to the Edge
Transport servers using EdgeSync. This
port is not the default LDAPS port, but it
is used specifically for the EdgeSync
process.

Internal Allow port 3389 for Remote Desktop
Protocol (RDP) from the internal
network to the Edge Transport server.
Required if you want to use Remote
Desktop to remotely administer of the
Edge Transport server.
Tip: The Exchange Server 2007 installation DVD includes an SCW configuration
file named Exchange2007Edge.xml that is specific to Exchange Server 2007 Edge
Transport servers. When you install Exchange Server 2007, this file is copied to the
C:\Program Files\Microsoft\Exchange Server\Scripts folder. Before you can use
this file in the SCW, you must register the file using the scwcmd register command.
Note: If you configure an Edge Subscription between a Hub Transport and an
Edge Transport server, the SMTP connectors required for Internet e-mail delivery
are configured automatically
Edge Shynchronization:
By default, recipient information synchronizes every four hours, and
configuration information synchronizes every hour.
During synchronization, EdgeSync replicates the following data from Active Directory to
ADAM:
• Accepted domains.
• Recipients (Hashed). The recipient information is hashed using a one-way hash so
that an attacker cannot retrieve recipient information from the Edge Transport server.
• Safe senders (Hashed).
• Send connectors.
• Hub Transport server list (for dynamic connector generation).

Ports Used by EdgeSync
The Edge Transport server is configured to use default port number 50389 for LDAP and
default port number 50636 for LDAPS. The LDAP port is used only by administration
tools to connect to the Edge Transport server instance of ADAM. All communication
from the Hub Transport server to the Edge Transport server uses LDAPS.
Hub Transport servers used for the replication of information are
known as EdgeConnectedBridgeheads (ECBHs).
Edge cloning involves configuring multiple Edge Transport servers with identical
configurations. Edge cloning can be used to backup the configuration on one Edge
Transport server, and then replicate it to another Edge Transport server for redundancy or
disaster recovery.
The Exchange Server transport services running on Edge Transport servers do not
support Microsoft Windows® Clustering. Therefore, to achieve high availability for
messaging transport, you should ensure that multiple Edge Transport servers are available
at all times. You can use edge cloning to ensure that all Edge Transport servers have the
same configuration.
Note: Although ADAM supports directory replication, there is no option in
Exchange Server 2007 to use directory replication to configure multiple Edge
Transport servers. You must use edge cloning if you want to automate this
process, and you must repeat the edge-cloning steps every time you make a
configuration change on one of the servers.
Note: The ExportEdgeConfig.ps1 and ImportEdgeConfig.ps1 files are Windows
PowerShell scripts, not individual commands. The scripts are located in the
C:\Program Files\Microsoft\Exchange Server\Scripts folder on all servers running
the Exchange Server 2007 Edge Transport server role.
Default Edge/HUB Transport Connectors
Connector name Connector type Description
Client servername SMTP Receive
connector

• Created on each Hub Transport server.

• Accepts connections from all remote IP
addresses on port 587 for message relay.

• Does not accept anonymous connections.
Default servername SMTP Receive
connector

• Created on each Hub Transport server.

• Accepts connections from all remote IP
addresses on port 25.

• Does not accept anonymous connections.
Default internal Receive
connector servername
SMTP Receive
connector

• Created on each Edge Transport server.

• Accepts connections from all remote IP
addresses on port 25.

• Accepts anonymous connections.
EdgeSync - inbound to
Sitename
SMTP Send connector • Created on the Edge Transport server by
Edge Subscription.

• Created in Active Directory, and then
replicated to the Edge Transport server by
edge synchronization.

• Settings such smart hosts and address
space are defined by the Edge Subscription.
EdgeSync – Sitename
to Internet

SMTP Send connector • Created on the site defined by Edge
Subscription.

• Created in Active Directory, and then
replicated to the Edge Transport server by
edge synchronization.

• Source server is the Edge Transport server
on which Edge Subscription is enabled.

• Address space of *.

• Uses DNS to locate SMTP servers on the
Internet.

Note: The Client servername Receive Connector is configured to listen on port 587
rather than port 25. As described in RFC 2476, port 587 has been proposed to be
used only for message submission from e-mail clients that require message relay.
For more information on this RFC, see The Internet Engineering Task Force Web
site.
What Is a PKI?
A PKI is an integrated set of services and administrative tools used for creating,
deploying, and managing certificates used by public key-based applications, such as
applications that send digitally signed and encrypted e-mail messages.
PKI component Description

Digital certificate Authenticates users and computers.

Certification authority (CA) Issues certificates to users, computers, and services, and then
manages them.

Certificate template Defines the content and purpose of a certificate. You can create one
certificate template for digital signature capabilities and another for
encryption capabilities. Note that one certificate template can be
created for both capabilities.

Certificate revocation list
(CRL)
Lists the certificates that are revoked by a CA before the certificates
reach their scheduled expiration date.

Certificate publication point
and CRL distribution point
Provides locations where certificates and CRLs are made publicly
available. Certificates and CRLs can be made available through a
directory service, such as X.500, LDAP, or directories that are
specific to the operating system and Web servers.

Certificate and CA
management tools
Manages issued certificates, publishes CA certificates and CRLs,
configures CAs, imports and exports certificates and keys, and
recovers archived private keys.

Applications and services
that are enabled by public

Domain Security:
To configure outbound Domain Security, use Exchange
Management Shell commands to specify the domains to
which you will send domain secured e-mail, and then
configure the SMTP Send connector to use domain
secured e-mail.
To configure inbound Domain Security, use Exchange
Management Shell commands to specify the domains to
which you will receive domain secured e-mail, and then
configure the SMTP Receive connector to use domain
secured e-mail.

No comments: