This week in New Orleans Microsoft is hosting its annual Worldwide Partner Conference. We made several announcements today at the conference about our identity and security solutions. This news is part of our Business Ready Security strategy to help both partners and customers 1) protect everywhere and access anywhere, 2) integrate and extend security across the enterprise, and 3) simplify the security experience and manage compliance
Official names and pricing for “Stirling”
Forefront codename “Stirling” - the next generation of the Forefront Security Suite for integrated, comprehensive protection across endpoints, servers and the edge – will be officially known as Forefront Protection Suite (FPS).
FPS will include the products in the current suite, plus the Forefront Protection Manager (formerly known as the “Stirling” management console) and the Forefront Threat Management Gateway Web Security Service.
FPS pricing will remain the same as the current Forefront Security Suite and all of the component solutions will continue to be licensed on a subscription basis. They will also be available independently, with Forefront Protection Manager included. (Note that the Forefront Threat Management Gateway license is sold separately on a per processor basis.)
At WPC we are also announcing the following new product solution names:
· Forefront Endpoint Protection 2010 - current version is Forefront Client Security
· Forefront Protection 2010 for Exchange Server - current version is Forefront Security for Exchange Server
· Forefront Protection 2010 for SharePoint - current version is Forefront Security for SharePoint
· Forefront Online Protection for Exchange - currently called Forefront Online Security for Exchange
· Forefront Threat Management Gateway Web Security Service - the next generation of ISA Server 2006.
The new FPS solutions are currently in beta and final versions will ship over the course of the latter half of 2009 and the first half of 2010.
Public beta 2 of Forefront Unified Access Gateway
Forefront Unified Access Gateway beta 2 is available for download at www.microsoft.com/forefront. UAG provides secure, virtually anywhere access to messaging, collaboration and other applications, increasing productivity and policy compliance. UAG also extends the benefits of Windows DirectAccess across the enterprise, enhancing scalability, deployment and management.
Official name for “Geneva”
The three components of Microsoft “Geneva” – the upcoming open platform providing simplified user access and single sign-on for cloud and on-premises applications – have the following names:
· Active Directory Federation Services – formerly known as “Geneva” Server
· Windows Identity Foundation – formerly known as “Geneva” Framework
· Windows Cardspace – same as current version
At WPC partners will learn about how the solutions above offer tremendous opportunity to better meet the identity and security needs of customers...and to build their own businesses. Since announcing a $75 million investment in our partner ecosystem at WPC last year, we have seen very strong partner development and growth.
For example, we have seen a 50% increase in participation in the Security Software Advisors (SSA) program, which offers fees to partners who influence deployment. The Security Solutions Competency, which enables partners to differentiate themselves as experts, is one of the fastest growing competencies in Microsoft’s history and in the last year grew 46% in participation. This year we anticipate quadrupling the number of identity and security partners we support with training, marketing and customer engagement.
Microsoft has become aware of two interrelated issues affecting a Manual Scan in Forefront Security for SharePoint.
The first issue is a memory leak which occurs when Keyword Filtering is enabled. In all versions of Forefront Security for SharePoint prior to Service Pack 3, whether you have Keyword Lists created or not, you may experience this issue. If, however, you have Forefront Security for SharePoint with Service Pack 3 installed (released 7/1/2009), this issue will only occur if you have Keyword Lists created. If you do not have any Keyword Lists, even if Keyword Filtering is enabled for Manual Scan, you will not experience the leak. Real-time scanning is not affected by this issue.
The second issue may occur as a result of the first. After a period of time the memory leak can cause memory allocations to fail. If these failures occur repeatedly in a specific way, it causes Forefront Security for SharePoint to incorrectly determine a valid document as “exceedingly nested”. Every file that is scanned and determined to be exceedingly nested will be deleted and the contents replaced with standard deletion text.
Microsoft is actively working toward a resolution for these issues. An update will posted as soon as more information becomes available. In the meantime, we recommend that any customers using Forefront Security for SharePoint that run a Manual Scan disable Keyword filtering for Manual Scanning (for more information on configuring the Manual Scan job, see "Running the Manual Scan Job" in the FSSP User Guide http://technet.microsoft.com/en-us/library/bb795164.aspx). This is extremely important, as manual scanning of your entire document library opens the potential of losing any document content incorrectly identified as “exceedingly nested”. Please note that, by default, Keyword Filtering is enabled for the Manual Scan job.
Today we posted a white paper about the Microsoft antimalware engine strategy and changes beginning December 1, 2009. A summary is below - read the full document for a complete overview.
Forefront server security products - such as Forefront Secrurity for Exchange, Forefront Security for Sharepoint and Forefront Security for Office Communications Server incorporate a multi-engine strategy, using both Microsoft and industry-leading security partner technology to consistently drive high detection rates. They also include an advanced multiple engine manager that allows customers to concurrently configure up to five engines. Using multiple scanning engines delivers several critical advantages:
Tests performed quarterly by the independent AV-Test.org group have shown that the multi-engine set for Forefront security products rates highest in response times for “in the wild” viruses and variants. We have found that having multiple engines consistently provides the highest detection rates against the competition with average response time of 3-6 hours for new viruses versus competitive single-engine solutions average response times are more than 2-9 days (as noted in recent AV-Test.org data.)
In order to further develop stronger technology relationships with our antimalware partners and ensure continued customer value for the longer term, we are standardizing on a set of five antimalware engines moving forward. We are confident that this solution will continue to provide equal or better detection rates and response times than the industry’s other leading solutions.
What does this mean for Microsoft and its customers? The current and next generation of Forefront server security products, including Antigen, will include five antimalware engines as part of an ongoing strategy to maximize and maintain our malware detection advantages, as well as make investments in other areas that will increase overall protection for our customers.
Customers will be able to take advantage of these new enhancements and engine changes after deploying the Antigen and Forefront service packs released on July 1, 2009. These service packs will allow customers to move to the new set of five engines as well as additional engine changes that Microsoft may release after December 1, 2009.
Many companies and IT leaders are eager to realize the benefits of cloud computing, but security is often a concern. For example, a recent study by Maritz Research found that 59% of IT leaders in the US rated security as the biggest risk with cloud.
As part of our Business Ready Security strategy , we are taking a comprehensive approach to security across on-site and cloud infrastructure. This encompasses protection, access and management, all built around user identity and integrated with a highly secure, interoperable platform for a broad set of partner solutions. (At the Worldwide Partner Conference on 7/13, we also announced the official names of the products comprising the Forefront Protection Suite, previously known as codename “Stirling”, in an effort to align our portfolio with this broader definition of security.)
We are delivering both standalone security services and security technologies within Microsoft’s cloud infrastructure. Forefront Online Protection for Exchange is an example of a standalone service solution, providing email security for both on premise Exchange Server and Exchange Online (and other on-premise messaging systems.) Another example is System Center Online Desktop Manager, available in beta by the end of the year. It is an integrated security and management tool that will provide desktop management capabilities in the form of an online service.
Identity is a core part of our strategy, because it allows for more contextual protection and access to information and resources. With our Forefront platform, on-premise identities, such as those in Active Directory, work with cloud services. That enables simplified, secure user access to applications, such as Exchange, regardless of where the application is hosted.
Forefront's identity provisioning/de-provisioning and access management empower customers to integrate their investments in Active Directory and existing identities with cloud infrastructure. And, with solutions like Rights Management Services, in the future customers will be able to enforce persistent, identity-based policies around data anywhere it is stored, sent, or accessed - including the cloud.
We are also providing fundamental identity components for Microsoft cloud services, such as the Azure Services Platform. The Microsoft Services Connector, for example, extends identities from on premises systems to cloud services. The .Net Access Control Service issues and manages identity “claims.” Both are based on the next generation of Active Directory Federation Services, Windows Cardspace, and Windows Identity Foundation which comprise an open platform for simplified user access that works across organization boundaries for on-premise and cloud-based applications. Beta 2 of all three components is currently available.
I’m very pleased to announce that today Forefront Unified Access Gateway Beta 2 is available for download from www.microsoft.com/uag . This beta release marks an important milestone in Microsoft’s remote access strategy as it brings together a host of access technologies into one environment.
Chances are you are reading this post from your laptop… and if you’re not currently outside of the corporate network, chances are you will be later today… You might be at home checking your email and getting some last minute work items done… That’s what UAG is all about! It’s about making sure that you, the user, remain as productive as you need to be regardless of what machine or network you are accessing from. Of course, it’s also about making sure that your company’s network and assets remain secure as you work remotely.
We know that when they say that “one size fits all”, it usually means that it fits some people well and the rest of us need to compromise. The same is true with remote access... Each technology is best suited for a different scenario/environment and the trick is to make sure you get the right one for the right task. A VPN client would be overkill for casual access from a kiosk or stealing a minute of time on your friend’s PC at home to check email… On the other hand, being limited to web-access only from your corporate laptop will leave you unfulfilled and wanting more. Unfulfilled, in this case also means: unproductive. That said, having multiple methods of remote access also translates to multiple $$$’s. Each environment needs to be well-managed, supported, scaled, etc. No less important is that each user needs to remember which environment is best to use in which scenario to easily achieve productivity. This means you’re doing less with more and that’s not good… and not just in this economy.
So here’s how UAG solves the problem…. It brings together a variety of remote access technologies such as DirectAccess, SSL VPN, Remote Desktop, web publishing, etc. under one roof and one user/admin experience. This way, administrators can easily roll out access to every type of user (employees, partners, etc) from virtually every location (corporate laptop, home PC, borrowed PC, kiosk, PDAs, etc). Users, in turn, get a simple and straightforward experience that adapts to the level of security of device they are using. If they come in from a corporate machine, they can get full connectivity through DirectAccess or for down-level PCs - SSL VPN. If they come from home PCs or borrowed PCs access policies will be tailored to their specific security. For instance, if they don’t practice safe-computing and don’t have an Anti-Malware software installed, running and up-to-date – UAG can decide to block access to uploads so no potentially harmful files will reach the network. If the user has an updated AV we may allow uploads but consider blocking downloads based on whether or not the Endpoint Session Cleanup (formerly: Attachment Wiper) can run to clean up any residue or temp files.
The policy options are limitless but they are also simple. Built in policies and administrative wizards help guide through setting up SharePoint, Exchange, DirectAccess, Terminal Services and much more….
The features I’m most excited about in UAG are our enhancements for DirectAccess. DirectAccess is really the next step of remote access and provides the best user experience possible. Wherever you may roam, you are simply connected, always-on, to corpnet. There is no need to open a VPN client, wait for connectivity, etc… You simply login and you are connected! What UAG brings to the table is a variety of capabilities to help simplify deployment and management, extend access to older servers and clients and grow the scale of the deployment. If you’re not yet looking at DirectAccess for your organization, you should…. And if you’re looking at DirectAccess you should look at UAG!
I could go on and on about the features and capabilities but why hear it from me?! Go and download the beta and see for yourself.
For more information you may want to try:
· The UAG engineering blog
· UAG website
· UAG TechNet Center
· DirectAccess site and UAG DirectAccess page.
Product Manager - UAG