Overview of Services and Features in FOPE
Applies to: Office 365 for professionals and small businesses, Office 365 for enterprises, Live@edu, Forefront Online Protection for Exchange
Topic Last Modified: 2012-07-11
Microsoft® Forefront® Online Protection for Exchange (FOPE) is a fully hosted email filtering service that helps protect your organization against spam, malware, and policy violations. FOPE also helps simplify the management of your email environment and can alleviate many of the burdens of software and hardware maintenance.
FOPE can be used in a standalone environment to protect inbound and outbound email for customers using any on-premises SMTP mail transfer agent. FOPE is also the default messaging security solution for Exchange Online customers. This guide describes the features of FOPE for both standalone and Exchange Online customers. For information about the differences in FOPE feature availability between the various Microsoft email hosting options, see Feature Set Comparison for FOPE Deployments.
This guide will also introduce you to the FOPE Administration Center, a Web-based management tool that lets you customize your FOPE service to meet the specific needs of your organization. FOPE provides reporting capabilities and end user quarantine functionality, and it lets administrators configure company-wide, domain-level, and user-based settings. When you make changes to your services in the Administration Center, the changes are typically saved and replicated in all data centers within 30 minutes.
The following documentation will help orient you to FOPE and become familiar with its capabilities:
Understanding Antivirus Protection – Gives you an overview of the antivirus protection available with FOPE and describes its layered defense.
Understanding Policy Enforcement – Provides you with a conceptual overview of policy rules in FOPE.
Understanding Antispam Protection – Helps you understand the anti-spam features in FOPE, including spam quarantine, connection analysis, and additional anti-spam features.
Understanding Directory Based User Management – Discusses how users are added to and managed in FOPE.
Understanding Disaster Recovery – Describes FOPE’s disaster recovery capabilities, including how long messages are spooled and queued.
Understanding Additional Subscriptions with FOPE – Provides brief introductions and links to more information about the Exchange Hosted Archive (EHA) and Exchange Hosted Email Encryption services.
The services provided by FOPE easily work together and require little to no user-modification to be effective. Once you have activated your FOPE service by completing the FOPE setup and provisioning steps (as shown in FOPE Setup and Provisioning), FOPE blocks more than 98 percent of unwanted email and 100 percent of known viruses, reducing message traffic and improving the efficiency of your corporate messaging infrastructure.
The following diagram illustrates a typical FOPE setup you could use to protect your organization.
You can see inbound email messages prior to being filtered outside your organization as well as email messages leaving the organization after being filtered. About 90 percent of email sent to your organization is spam and is filtered out by the edge blocking automatically provided by FOPE. As a messaging administrator, you can use the Administration Center to fine-tune the filter settings to suit the needs of your organization. When FOPE catches junk messages, it delivers them to the End User Quarantine where either you or the organization’s employees can verify whether the messages are spam. Once FOPE has filtered out all the junk messages, it delivers the legitimate email messages to the intended recipients. FOPE filters inbound, outbound, and internal messages for spam, malware, and policy violations. Additionally, you can automatically encrypt email based on policy rule settings if you subscribe to the Exchange Hosted Email Encryption Service (see Exchange Hosted Email Encryption Service Subscription in FOPE for details). You also have the option to subscribe to the Exchange Hosted Archive (EHA) service, which provides an advanced message archiving and compliance system for email messages. See the Exchange Hosted Archive (EHA) User Guide for more information about EHA.
FOPE is powered by a global network of data centers, which are based on a fault-tolerant and redundant architecture, and are load-balanced both site-to-site and internally within each data center. These data centers are physically located worldwide. If a data center suddenly becomes unavailable, traffic is automatically routed to another data center without any interruption to service. Thousands of email servers across the network of data centers accept email on your behalf, providing a layer of separation between your servers and the Internet. Furthermore, Microsoft algorithms analyze and route message traffic between data centers to ensure the most timely and efficient delivery. Through this highly available network, Microsoft is able to deliver on its service level agreement of 99.999 percent uptime. This approach, built on a distributed server and software model, has proven successful in helping to protect our customers' corporate networks and email servers from common threats such as dangerous worms, denial-of-service assaults, directory harvesting, dictionary attacks, and other forms of email abuse.
FOPE has a guaranteed spam catch rate of over 98% and its layered, multiple engine approach effectively scans the remaining 2% of mail for malware before it reaches your organization. In addition, the FOPE configuration requires that you restrict your email servers to respond only to inbound requests from the FOPE network, making your incoming email safer. To help ensure privacy and message integrity, all messages processed by FOPE are encrypted using transport layer security (TLS). If the sending or destination email server is not configured to use TLS, FOPE automatically rolls over to delivery via SMTP. For information about filtering unwanted inbound bulk mail (such as advertisements and marketing emails), see Bulk Mail Filtering in FOPE
Organizations can also configure a number of advanced email scenarios, such as secure mail flow with trusted partners, by using FOPE connectors. You can use FOPE connectors to configure forced inbound and outbound TLS using self-signed or CA validated certificates. The FOPE connectors provide more control of email routing to enable cross-premises scenarios, such as the outbound smart host scenario, and the ability to configure FOPE to skip IP address filtering on inbound email sent from IP addresses specified in a safe list. You can also configure several hybrid mail flow scenarios where email is hosted partially in the cloud (Microsoft Exchange Online) and partially on-premises. In this scenario, you can use a single domain name for all mailboxes in both your on-premises Exchange organization and in the cloud. For more information about the various email flow scenarios that use FOPE connectors, see Using FOPE Connectors to Configure Advanced Email Flow Scenarios.
The network performance and spam and virus filtering effectiveness of the FOPE service are reinforced by financially backed service level agreements (SLAs). The SLAs include:
Policy filtering accuracy
Virus detection and blocking: 100 percent protection against all known email viruses
Spam effectiveness: capture of at least 98 percent of all inbound spam messages
False positive commitment of less than 1 in 250,000 messages
Network uptime: 99.999 percent
Email delivery: average delivery commitment of less than one minute
See Forefront Online Protection for Exchange: Overview to watch a video overview of FOPE.