The Edge Transport role provides powerful anti-spam functionalities and some antivirus features. Because the Edge Transport role does not include a virus scanner, you can integrate additional antivirus products such as Microsoft Forefront Protection for Exchange Server. You can configure secure SMTP messaging as well as domain security, a feature available in Microsoft Exchange Server 2007 and later versions. Also you can take advantage of the Federated Sharing, which enables sharing of availability and contact information between organizations.
Deploying an Antivirus Solution
Exchange Server 2010 includes several virus protection features such as support for VS API, transport agents, antivirus stamping, and integration with Forefront Protection for Exchange Server 2010.
Antivirus scan with multiple engines – You can automatically scan messages using multiple virus pattern engines, not just a single one.
Full support for VS API – Forefront Protection for Exchange Server fully supports the Exchange VS API.
Microsoft IP Reputation service – Provides sender reputation information about IP addresses that are known to send spam. This is an IP-block list offered exclusively to Exchange Server.
Spam Signature updates – Identifies the most recent spam campaigns. The signature updates are available on a need basis, up to several times a day.
Automated content filtering updates – Automated content filtering updates for Microsoft Smartscreen spam heuristics, phishing Web sites, and other Intelligent Message Filter (IMF) updates.
Deploying an Anti-Spam Solution
Exchange Server 2010 includes several filtering agents that you can use for implementing an anti-spam solution. These filtering agents include Connection Filtering, Content Filtering, Sender ID Filtering, Sender Filtering, Recipient Filtering, Sender Reputation Filtering, and Attachment Filtering.
The Edge Transport server uses these filtering agents to examine each SMTP connection and the messages sent through the connection.
By understanding how each of these filters work, you can configure various options for the filters based on your organization’s requirements.
Configuring Secure SMTP Messaging
You can configure secure SMTP messaging by using several options such as IPSec, VPN, TLS, and S/MIME.
S/MIME is a client-based encryption and signing protocol that provides end-to-end security, from the sending mailbox to the receiving mailbox. Unlike other encryption protocols that are session-based on the transport layer (such as TLS), the message also remains encrypted and signed within the mailbox. Even administrators cannot decrypt it if their digital certificate does not allow them to do so. By implementing S/MIME, you can perform the following tasks.
- Use digital signatures as a way to prove to your communication partners that the content was not altered.
- Authenticate the message sender. The digital signature proves that the message can only come from the user with the appropriate private key.
- Encrypt messages to prevent accidental content disclosure.
Exchange Server 2010 also includes the Domain Security feature, which you can use to provide a relatively low-cost alternative to S/MIME or other message-encryption solutions.
The Domain Security feature in Exchange Server 2010 provides a relatively low-cost alternative to S/MIME or other message-encryption solutions. It uses mutual TLS, where each server verifies the identity of the other server by validating the certificate that is provided by the other server. It is an easy way for administrators to manage secured message paths between domains over the Internet. This means that all connections between the partner organizations are authenticated, and all messages are encrypted while in transit on the Internet.
Configuring Federated Security
Federated Sharing uses standard federation technologies to allow organizations to establish trusted relationships with each other. In Exchange Server 2010, you use the Microsoft Federation Gateway to establish the federation. The Microsoft Federation Gateway is an identity service that runs over the Internet and works as a trust broker for Federated Sharing.
By using federation trusts, organization identifiers, organization relationships, and sharing relationships, you can ensure that availability of information and messages delivered between trusted organizations is secure.
In a Federation Sharing scenario, each organization only needs to manage its trust relationship with the Federation Gateway, and to manage only its user accounts. After the organization establishes the trust relationship with the Federation Gateway, you can configure other trusted organizations with which you want to share information, and the types of information that you want to share.