Mike Chan Sr. Product Manager Microsoft SIA317 Agenda Business Ready Security Product Features OCS...
-
Upload
harry-montgomery -
Category
Documents
-
view
215 -
download
0
Transcript of Mike Chan Sr. Product Manager Microsoft SIA317 Agenda Business Ready Security Product Features OCS...
Protect IM with Microsoft Forefront Security for Office Communications Server
Mike ChanSr. Product ManagerMicrosoftSIA317
Agenda
Business Ready SecurityProduct FeaturesOCS IntegrationInstallation, Configuration and SupportPerformance
Business Ready SecurityHelp securely enable business by managing risk and empowering people
Highly Secure & Interoperable Platform
IdentityIntegrate and extend
security across the enterprise
Protect everywhere,access anywhere
Simplify the security experience,manage compliance
Block
from:
Enable
Cost Value
Siloed Seamless
to:
Forefront Security for OCSUpdated Release Information
Support for OCS 2007 R2 in first release of FSOCSFSOCS RTM launched mid-March
Aligned with OCS 2007 R2Not a part of “Stirling”No centralized management
Forefront Security for Office Communications Server Objectives
Complement and deepen the security in OCSDetect and remove malware from IM message content and transferred filesSet controls on content distributed via IMIntegrate with OCS 2007 and R2
Provide IM security while supporting with real-time performanceReport on FSOCS Health and Activity
Securing IM within OCS
FSOCS provides content filtering and AV scanning of all IM activity including
IM Message ContentGroup IMIM w/ External Users
IM-Based File TransfersIM Routed Through the Standard and Enterprise Edition
Securing IM in OCS 2007External Users
FSOCS secures IM and transferred files for external OCS users
Federated OrganizationsPublic IM Networks such as AOL, Yahoo and MSNRemote Users with an Identity in Active Directory but are not connected through a VPN
Key IM Security Features
Capabilities are similar to other Forefront Server Security products:
Malware/Virus ScanningFile FilteringKeyword FilteringDomain/Address Filtering (Content Filtering)
However, there are specific ways these features are applied over IM protocols…
Securing IM in OCS IM Keyword Filters
Keyword filters applied to IM Message content and Text-based transferred filesApplied to Inbound, Outbound or Internal IMTriggers one of these actions:
Skip: detect only Block
Admins can identify users who should be excluded from IM scanning for Keyword rules through Sender/Recipient Allow Lists
Securing IM in OCSPrevent the distribution of malware through IM
Optimal Detection of IM-based malware through scanning with multiple antivirus engines
Detection of malware in both IM message content and IM-based file transfers5 AV Engines can be enabled simultaneouslyIntelligent engine manager
Bias settingsIM Scan JobAutomated Signature Updates (24x7)
Securing IM Message ContentIM is transported through the following protocols:
Session Initiation Protocol (SIP)Session Description Protocol (SDP)SIP for Instant Messaging and Presence Leveraging Extensions (SIMPLE)
Office Communicator (OC) uses SDP to establish the content type used within an IM sessionKnown (supported) content types are parsed for keywordsOC 2007 and OC 2007 R2 default type is RTFOC 2005 default content type is Plain TextHTML is a supported content type in OC 2007 R2
All content types are scanned for viruses; this includes new content types available in OC 2007 that are scanned by defaultInk Serialized Format (ISF)/ Graphics interchange format (Gif) generated from Tablet PC'sOther content types that are be generated from custom built IM clients from the UCC SDK
Reg Keys allow Admins to block ISF or Unknown content types
Securing IM-Based File TransfersIM-based file transfers occur as a Peer-to-Peer file copy transaction between two clients
FSOCS monitors the SIP messaging used to negotiate a file transfer and redirects the file to the FSOCS server
If the connection necessary to transfer files between internal and external users is successfully made, IM transferred files will be protected at the Edge as well.
Additional Content Controls
Domain/Address Filtering can block IM based on SIP URI or Domain of Sender or Recipient
Wildcards allow blocking by domain *@unknown.comIndividual SIP URI’s can be specified to block at the user level
Both Keyword and File Filters can be bypassed for Senders and Recipients identified in configurable list(s) of SIP URI’s.
IM Notifications
Notifications are sent when users attempt to send malware, designated file types, or out-of-policy keywordsIM Notifications can be configured separately for internal and external users
IM admin receives e-mailSender (and Recipient if desired) receive IM communication
Configuring Admin Notification
User IM Notification
Securing IM in OCS 2007Configuration Scenarios
Block IM from a problematic domain at the EdgeUse the Content Filtering feature of FSOCS when deployed on the Edge to block a domain - for example, block “*.unknown.com”
Configure different policies on IM Message Content for Internal and External users
Keyword Filter Lists can be enabled for Inbound, Outbound or Internal applicability
Block external file transfersFilters list file types to be blocked and uses real file detectionFilter can block Inbound <in> or Outbound <out> file transfers
Configuring FSOCSdemo
Mike ChanSenior Product ManagerMicrosoft
OCS Integration
Technical Integration with OCS
Integrates with OCS as a critical AppHooks into the SIP Messaging stream used to transport IM Messages between user end pointsSupports all OCS Server roles and Topologies that manage IM:
Standard Edition, Enterprise Edition: Front End, Director and Access Edge Server Roles
Applies a message stamp so IM message content and transferred files are only scanned once for efficient processing
System RequirementsFSOCS Deploys On Communication Servers
FSOCS supports the same server requirements as the OCS Server it is deployed with
For OCS 2007 DeploymentsMinimum: Windows Server® 2003 SP1Recommended: Windows Server® 2003 R2Support for 64 bit Versions64-bit hardware with WOW64 mode on the 64-bit edition of Windows Server 2003 SP1 and above
For OCS 2007 R2 Deployments64-bit Hardware OnlyWS 2008, WS 2003, WS 2003 R2
Server Boundary
Process Boundary
Standard Edition Integration
FSOCSRTCProxy
OCS Server
IM
IPC
FSOCS FSCController
FSOCSIM Scan Job
AV
AV
AV
IMIM
FSOCSIM
Notification Agent
Notify
All IM Activity Is Routed Through An Instance of OCS Communications Server
Clean IM messages and files are stamped and routed forward through OCS
Infected IM is blocked and optionally Quarantined by FSOCS
Notification of the Action is sent to the Sender and optionally the Administrator
FSOCS Admin Console
The FSOCS Admin Console can deliver items from Quarantine
With FSOCS Installed
Enterprise Edition Server
Process Boundary
OCS Server
FSOCSIM Scan
Job
AV
AV
AV
FSOCSIM Agent
OCS Back End SQL Server
Client
OCS Server Pool
Hardware Load Balancer
Client
Enterprise Edition Integration
FSOCSRTCProxy
FSOCS FSCController
IPC
Enterprise Edition Server
Process Boundary
OCS Server
FSOCSIM Scan
Job
AV
AV
AV
FSOCSIM Agent
FSOCSRTCProxy
FSOCS FSCController
IPC
IM
***IM
Securing Instant Messagingdemo
Mike ChanSenior Product ManagerMicrosoft
Installation, Configuration and Support
Public IM Networks
External Users Perimeter Network Internal Network
Remote User
Access Edge Server
Front-End Server
Director Server
(VPN)
Federated (Trusted) Organization
Enterprise Edition Topologies
FSOCS scans IM Messages & file transfers flowing through OCS protecting each instance of a Standard Edition, Front End, Director and Access Edge server role.
FSOCS InstallationOverview Single installer for all server roles
o Includes option to deploy the Administrative Console
o Silent install is not currently supported
Installable profanity lists are in a separate msi named “KeywordInstaller.msi” found in the “Program Files\Microsoft Forefront Security\Office Communications Server” folder after FSOCS is installed
Templates are supported for the following: IM Scan Job, Scan Engines, Notifications, File and Content Filtering Settings
FSOCS InstallationDeploying on Different OCS 2007 Server Roles
FSOCS searches the registry for an OCS 2007 KeyReg Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Real-
Time Communications\{92AC8981-AAD9-4391-8563-92E558EEF4C6}\Server
Possible Values:SE Standard EditionEE Enterprise EditionPROXY Proxy ServerAP Edge Server
FSOCS InstallationDeploying on Different OCS 2007 Server Roles
If an Enterprise Edition Server Role is detected (EE) then the user can identify that the install is occurring on a Director Server Role
FSOCS InstallationInstall Credentials and Requirements
Server and IM notification accounts are required for installation of FSOCS and have different requirements and validation checks
Access Edge is typically installed in the perimeter network as a non-domain server with no AD access
FSOCS on Access Edge will run with local admin entitlements
Front End, Director and Standard Edition, core services run under an account with both local and domain level entitlements
There are separate requirements for the IM Notification Agent
FSOCS InstallationInstall Credentials and Requirements
On Access Edge, the service account must have the following privileges; if these privileges are not enabled for the account at the time
of install, the FSOCS installer will enable them automatically:“Logon As Service" "RTC Server Applications" local security group "RTC Server Local Group" local security group "Performance Monitor Users" local security group
Standard Edition, Front End, or Director role requirements; if not already enabled, the following privileges will be added to the server account at time of install
"Logon As Service" "RTC Server Applications" local security group.
The service account specified must already be a member of the following groups
"RTCUniversalServerAdmins" and "RTCProxyUniversalServices" domain groups
FSOCS InstallationIM Notification Agent Credentials
The following information is required:Username: User account prefixed with domain.
On Access Edge, this is a local user prefixed with computer namePassword: Password of user account for either domain or local computerTransport: The protocol used to communicate from the IM Notification Agent to OCS 2007, TLS is recommended as this is a secure, encrypted protocoSIP URI: This is the SIP URI used by OCS 2007 to uniquely identify a user. It can be found in AD <msRTCSIP-PrimaryUserAddress>Home Server:Every OCS user is associated with a home server or Pool . This can be found in AD
<msRTCSIP-PrimaryHomeServer>
On the Front End, Standard Edition and Director Servers, the SIP URI and Home or Pool Server will be pre-populated. The User, SIP URI and Home/Pool Server will be validated
On the Access Edge Server Role, the installer cannot access AD to pre-populate or validate any credentials
**If user/server information has been entered incorrectly, errors will be generated into the Application Event log from the “ForefrontNotificationAgent” with a “error occurred logging in to server” in the description.
FSOCS Configuration on OCS 2007 Enterprise Edition Roles
Available on all supported EE Server RolesDisableMessageStampDWORD valueDefault = 0
MessageOverloadWatermarkDWORD ValueDefaults: 1,000 for Access Edge, 3,000 for Director, 10,000 for Front End
Access Edge and Director Server Roles
FileScanningDisabledDWORD ValueDEFAULT = 0
FSOCS Configuration on OCS 2007 Enterprise Edition Roles
Available on Access Edge Server Role
FileTransferStartPortRangeDWORD ValueDEFAULT 6891
FileTransferMaxPortsDWORD ValueDefault= 10
FSOCS Support and Troubleshooting – Perf Counters
There are 4 categories all prefixed with “Microsoft FSOCS”
Microsoft FSOCS CategorizerMicrosoft FSOCS HealthMicrosoft FSOCS Scan FilterMicrosoft FSOCS SIP Traffic
Administrators should monitor counters to understand queue length and IM processing time:RTC Proxy Health: Queue LengthRTC Proxy Scan/Filter Results: Average Processing Time
FSOCS Configuration Support and Troubleshooting – Diagnostic Tools
Run the FSCDiag.exe Located in Program Files\Microsoft Forefront Security\Office Communications Server
This generates the ForefrontDiag*.zipLocated in Program Files\Microsoft Forefront Security\Office Communications Server\log\Diagnostics
Diagnostic level logging can be kept on continuallySelect IM Diagnostics in the General Options settingsCostly in terms of log sizes and performance due to disk I/O
FSOCS Configuration Support and Troubleshooting – OCS Logs
Generating and Collecting OCS Logs:Open OCS MMCSelect your Enterprise Pool and right click on itSelect "New Debug Session"In the OCS Logging Tool, select:
"LcsServer" and enable "All Flags""ApiModule" and enable "All Flags""SIPStack" and enable "All Flags""InboundRouting" and enable "All Flags""MCUInfra" and enable "All Flags"“ MCUFactory” and enable “All Flags” “UserServices” and enable “All Flags”Click on "Start Logging“Reproduce the issue you are noticingClick on "Stop Logging“Select "View Log Files" (keep everything on the list enabled)Select "View" and a number of text files will open in NotepadCollect the files from the directory specified in the logging tool (default: c:\windows\tracing)Collect the OCS Event Logs to send to Microsoft
FSOCS PerformanceInternally tested at 4000 users/serverQuad-Core Intel Xeon X3220 2.4 GHz processors, 4 GB of RAM and 150GB of SCSI drive (RAID0, DAS)
IM Usage Model Profile Conversations/day
ConversationLength (min.)
IM Sent/Minute
IM Rate / sec / 1000 users
Low 7 120 2 20Medium 14 120 2 40High 24 120 2 67Max Supported Users* 24 20 1 6
Setting ValueAverage number of contacts 50Max number of contacts 100Average groups per user 10Max groups per user 25
FSOCS Performance
Minimum Recommended MaximumScanning Processes 2 1 x # of cores 25Memory (Additional to OCS) 200 MB x # of scanning processes 600 MB x # of scanning processes N/A
Measurement IMProcessing Time
ProcessorUtilization (%)
Profile Average Avg. MaxNo File Transfer 0.005 47.2 63.8With File Transfer 0.005 43.5 51.6
Measurement (4000 Users) Messages/sec MemoryUtilization
ProcessorUtilization (%)
Profile Avg. Max Avg. Max Avg. MaxOCS 2007 R2 (baseline) 280 300 1.4GB 1.5GB 9.2 14.9FSOCS (3 engines: CA, VBuster, MSAV) 282 329 2.7GB 2.9GB 36.8 42.0
Measurement (3000 Users) Messages/sec MemoryUtilization
ProcessorUtilization (%)
Profile Avg. Max Avg. Max Avg. MaxOCS 2007 R2 (baseline) 210 232 1.1GB 1.2GB 6.8 12.9FSOCS (MSAV Only) 210 226 2.0GB 2.8GB 20.2 26.0FSOCS (3 engines: CA, VBuster, MSAV) 210 225 2.6GB 2.9GB 29.2 33.8FSOCS (Default Configuration) 209 231 2.8GB 3.0GB 20.7 24.2
Case Studies
Sporton International
International certificationcompany based in Taiwan
“We couldn’t find a solution to protect Office Communications Server…. Our only recourse was to build our own, requiring painstaking and time-consuming work… Deployment took less than 20 minutes. Protection was immediate.”
David Feng, IT Director, Sporton
Cut the cost of managing IM security by 50% and reduced viruses by 20% with FSOCS
ConvergentIT Consulting Firm
“From research to maintenance, Forefront Security for Office Communications Server saves the company time, and ultimately money.”
Rand Morimoto, President, Convergent Computing
Using FSOCS on OCS 2007 R2 Enterprise Edition internally across 6 servers for federated users and public IM
Deployed to pharmaceutical and State of California customers with tens of thousands of users to address compliance concerns
Securing IM with FSOCSSummary
Part of the Forefront Security Suite and Microsoft Enterprise CAL
Deploy FSOCS with every OCS and OCS R2 deployment!
A public forum on Microsoft TechNet is available:
http://social.technet.microsoft.com/Forums/en-US/forefrontOCS/threads/
question & answer
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Related Content
SIA318 – Protection : Next Generation of Messaging and Collaboration
SIA319 – Protection : Targeting Spam with Microsoft Forefront
SIA01-INT – Next Generation Messaging and Collaboration Protection Drilldown
SIA11-HOL – Overview of Microsoft Forefront Code Name “Stirling” (Beta)
SIA13-HOL – FSE Beta 2 (AntiSpam and AntiMalware)
SIA14-HOL – FSSP Beta 2 (AntiMalware)
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.