Introduction to Forefront Security for Office Communications Server

  • Article

 

Applies to: Forefront Security for Office Communications Server

Instant Messaging (IM) is easy to use, fast, and allows users to hold live "conversations" with their colleagues and exchange files quickly and easily. Unfortunately, its ease of use and speed also provide the perfect vehicle for the transfer and proliferation of viruses.

IM environments require an antivirus, file-filtering, and content-filtering solution that can prevent the spread of viruses by scanning all messages and file transfers in real time, with minimal impact on server performance or delivery times of messages.

Microsoft Forefront Security for Office Communications Server (FSOCS) provides realtime protection by scanning and filtering both instant messages and files transferred via IM.

FSOCS provides powerful features that include the following:

  • Antivirus scanning using multiple antivirus scan engines.
  • File filtering by file name, type, extension, or size.
  • Comprehensive notifications for the administrator, the message sender, and the message recipients.
  • Performance counters for FSOCS health and activity monitoring.
  • Keyword filtering for IM message content.

FSOCS provides powerful protection for your instant messaging servers and is the antivirus solution for OCS 2007 and OCS 2007 R2 environments.

Benefits of using multiple scanning engines

Antivirus vendors all try to release signatures as soon as possible, but with every virus threat, there is variation between various antivirus research labs in how quickly virus samples are obtained and analyzed, and signatures are released. By using multiple antivirus scan engines, FSOCS customers can realize the benefit of diversification. If all messages are scanned with five engines, it is more likely that one of the engines is equipped to handle a recently released virus than if only one antivirus engine was being used.

Scanning order

When FSOCS scans a file or a message, the following tasks are performed in the order listed.

Instant Messaging traffic tasks

  • Allowed sender-recipient scan—If the allowed sender-recipient list functionality is enabled, FSOCS compares the message sender's domain or address to the allowed sender-recipients list. If a message is from a domain or address in the allowed sender-recipients list, the message is delivered to the recipient, and specified filtering tasks are bypassed. You can configure the allowed sender-recipient list to bypass keyword filters, file filters, and content filters. For more information, see FSOCS file filtering, FSOCS keyword filtering, and FSOCS content filtering.
  • Content filtering scan—When content filtering is enabled, FSOCS compares the message sender to the senders and the domains that are in the sender-recipient filter list in order to determine which filtering settings are applicable to the message. For more information, see FSOCS content filtering.
  • Keyword filtering scan—When keyword filtering is enabled, FSOCS searches the contents of the message for matches to items in keyword filter lists that have been created. For more information, see FSOCS keyword filtering.

File transfer traffic tasks

  • Worm purge—The contents of the file are compared to a list of known worms. For more information, see Purging IM messages and file transfers infected by worms.
  • File filtering—When file filtering is enabled, FSOCS compares the file transferred via IM to the file-filter list. The file-filter list enables you to search for files with a specific name, type, and size. For more information, see FSOCS file filtering.
  • Virus detection—FSOCS uses multiple virus scan engines in order to determine whether the file contains a virus. For more information, see FSOCS multiple scan engines.

Third-party file-level antivirus programs

If you use a third-party file-level antivirus program on a server containing FSOCS, you must ensure that the folders in which you installed FSOCS and the OCS folder itself are not scanned, in order to prevent corruption of FSOCS. These folders default to the following location:

<drive>:\Program Files\Microsoft Forefront Security\Office Communications Server

<drive>:\Program Files\Microsoft Office Communications Server 2007

<drive>:\Program Files\Microsoft Office Communications Server 2007 R2

Roles supported

In addition to supporting the OCS 2007 and OCS 2007 R2 Standard Edition Server Role, FSOCS also supports the following 2007 server roles, available in the Enterprise Edition.

Note

When IM with External Users is Supported, it is recommended that FSOCS be deployed on both the access edge and the director server roles. If either of these server roles is deployed within a server pool, then FSOCS should be deployed on each instance of the access edge and director server roles as well.

  • Front End Server Role–This role is always present in Enterprise Edition topologies and is typically deployed within the internal network. It can exist as a single server instance, or as one of multiple front-end servers deployed within a pool of servers behind a hardware load balancer in Enterprise Edition deployment topologies. FSOCS should be deployed on each instance of an OCS front end server role. That means in a pool of six front end servers, FSOCS is deployed on each of them.
  • Access Edge Server Role–This role is necessary when the administrator wishes to allow external users to communicate with internal users. External users can be users of federated organizations or public IM networks, such as Yahoo, AOL or MSN. They could also be remote users with an identity in the active directory, who are communicating through OCS outside of a VPN. The access edge server role is deployed in the network perimeter, between an internal and an external facing firewall. It can exist as a standalone server or as one of multiple access edge servers deployed within a pool of servers behind a hardware load balancer in the network perimeter in Enterprise Edition deployment topologies.
  • Director Server Role–This role is typically deployed in the internal network. Its purpose is to offload user authentication responsibilities from the front end server role. The director authenticates both internal and external users. It is optional, but highly recommended. It can exist as a standalone server or as one of multiple director servers deployed in front of a hardware load balancer in the Enterprise Edition deployment topologies.

For more information about OCS 2007 and OCS 2007 R2 server roles and deployment guidelines, see the OCS 2007 Planning Guide on the Office Communications Server site.

Message stamping

Instant messages can be routed through all of these server roles. In an Enterprise Edition topology with support for external users, an instant message is routed across multiple server roles as it makes its way from outside the enterprise, across the perimeter network to the internal network, and ultimately onto the intended IM Recipient. With FSOCS installed on each instance of the supported server roles, an IM message could potentially be scanned and filtered several times.

To avoid this scenario, FSOCS ensures that a Session Initiation Protocol (SIP) message and an IM-based file transfer only get scanned once. This is accomplished by applying a message stamp to the IM message content the first time an instance of FSOCS determines that the IM or file is clean and does not trigger any filtering rules.

For example, an IM message that is sent from an external, remote user to an internal user passes across the access edge server role. If that instance of FSOCS determines that the message is clean, contains no restricted keywords, and does not originate from a blocked sender, then the message is not scanned again when it passes across the front end server role that routes it to the intended internal recipient.

This message stamping behavior is enabled by default. If you want to disable this functionality (that is, have messages scanned by each instance of FSOCS that it encounters), open the registry, and then navigate to the Forefront Server Security registry key in the following location:

HKLM\SOFTWARE\Microsoft\Forefront Server Security\Office Communications Server

Then, configure the following registry key setting:

DisableMessageStamp

DWORD value

Default = 0

File transfers

FSOCS scans for viruses and applies file filtering rules to IM-based file transfers that occur in the internal network between internal users.

FSOCS also scans for viruses and applies file filtering rules to IM-based file transfers between internal and external users. At least one access edge server role must be available in order to allow instant messaging with external users. Each instance of the access edge server role needs to have FSOCS installed.

In order to facilitate file transfers across the edge, the firewall should be configured to allow inbound connections to the Forefront application running on each edge server. The default ports are 6891 through 6900, however these can be changed by configuring two registry keys. In order to modify the range of ports, open the registry, and then navigate to the Forefront Server Security registry key in the following location:

HKLM\SOFTWARE\Microsoft\Forefront Server Security\Office Communications Server

Then, configure the following two registry key settings:

FileTransferStartPortRange

DWORD value

Default = 6891

and

FileTransferMaxPorts

DWORD Value

Default= 10

When files are transmitted between two internal users via IM, an instance of the front end server role in an Enterprise Edition topology or the Standard Edition server role scans the file for viruses and filtering rules.

In an Enterprise Edition topology where access edge and director server roles are present, and the file transfer is between an internal and an external user, the server role that scans the file is dependent upon the direction of the file transfer. If the file is sent from an internal user to an external user (outbound), the file is scanned on the access edge server role. If the file is sent from an external user to an internal user (inbound), the file is scanned on the front end server role. Even though the file transfer can be scanned at different servers, FSOCS must always be installed on all front end server roles in order for file transfers to be protected.

The Administrator can influence where outbound file transfers are scanned, by disabling file scanning on either the access edge or director server roles. If the instance of FSOCS on the access edge server role has file scanning disabled, outbound file transfers are scanned on the director server role, if present. If the director server role is not present, or the administrator has disabled file scanning on both the access edge and director server roles, then the outbound file is scanned on the front end server role.

To disable scanning on the access edge or director server role, open the registry, and then navigate to the Forefront Server Security registry key in the following location:

HKLM\SOFTWARE\Microsoft\Forefront Server Security\Office Communications Server

Then, configure the following registry key setting:

FileScanningDisabled

DWORD Value

DEFAULT = 0

Note

This is not available on the front end or Standard Edition server roles.

Additional documentation

The most current Microsoft FSOCS documentation is available at the Microsoft Forefront Security for Office Communications Server TechNet Library.