This week we released an update to Forefront Online Protection for Exchange (FOPE) - our hosted service providing anti-malware and anti-spam for both on-premises Exchange and Exchange Online.  FOPE can be used as an alternative to the new Forefront Protection 2010 for Exchange Server, or in tandem with it for messaging defense-in-depth.

The new release of Forefront Online Protection for Exchange offers enhanced policy control capabilities (such as enhanced regular expressions support, custom dictionaries) for IT admins to more effectively adhere to compliance needs.  In addition, it supports advanced globalization/localization by supporting 13 languages in the Admin Console, in documentation and via telephone support. These enhancements were a direct result of feedback from Forefront Online Protection for Exchange customers, who expressed a need for more options when they created custom company policy rules for filtering, and more flexibility to manage these rules.

Additional enhancements with the new release:       

·         Policy rule syntax options: The new release provides the option to use either a basic syntax, which is a mixture of comma-separated values (CSV) and simple string-wildcard syntax or Regular Expressions.

·         New Policy Rules e-mail header match option: FOPE now allows you to match e-mails based on e-mail header name and value.

·         More flexibility for outbound forced TLS rules: The Policy Rules editor now offers a check box to enable Opportunistic TLS for recipients not specifically identified by the policy rule.  Custom policy rules filters now feature the following enhancements:

The ability to upload dictionaries of custom-created lists or content for use in policy rules

The ability to apply the dictionaries across multiple rules and domains

 

Today at our Professional Developers Conference Microsoft announced the availability of Windows Identity Foundation (WIF), a new extension to the .NET Framework that makes it easier for developers to create more secure applications with interoperable, identity-based access. 

The software and documentation are available here.  You can watch a video discussion about WIF on Channel 9 here.

WIF is ideal for both on-premises and cloud apps, and it ties closely to today’s launch of the Windows Azure, Microsoft’s cloud services platform.  As part of our open platform for simplified access to both on-premises and cloud applications (formerly known as codename “Geneva”,) WIF is a key element of how Microsoft is addressing customer needs around cloud security.   It also represents more progress for our Business Ready Security strategy.

Extending single sign-on from on-premises infrastructure to cloud applications is an important customer need, to simplify user login and ensure productivity. But the complexities of identity and access often block developers from quickly delivering this capability.  There are too many identity technologies to choose from.  Custom development of identity functionality is slow, expensive and requires developers to be identity and security experts. 

WIF changes this, by providing developers with a standard approach to building identity-based access into on-premises and cloud applications using the claims-based architecture.  It boosts developer productivity through a single, simplified identity model within familiar tools, such as .NET and Visual Studio. 

For example, Quest Software says it was able to reduce authentication/authorization development time by 80% using WIF for its new OnDemand IT management solution hosted on Windows Azure – announced today.  Quest OnDemand relies on ADFS 2.0 (beta) for authentication, too.

Online travel service leader Hogg Robinson in the UK is using WIF and ADFS 2.0, as well.  Lead architect Jon Simpson said the technologies "masked many complexities, yet offered extension points throughout the solution such that we could implement all of our requirements. We welcome this new, open approach from Microsoft.  We didn't have to compromise our solution anywhere!"

WIF enhances application security because it provides consistent, proven means for single sign on, federation, strong authentication and identity delegation.  With WIF developers don’t have to continually re-build authentication logic, and applications can call each other securely. And, because WIF allows developers to externalize identity logic from applications, re-coding is less likely to be required as identity needs change.

Additionally, WIF is based on industry standard protocols for interoperability across heterogeneous cloud and enterprise environments.

Complementing WIF are the upcoming Active Directory Federation Services 2.0 – a role in Windows Server that allows customers to extend their existing investment in identity infrastructure to cloud applications – and Windows CardSpace 2.0, which helps end users easily navigate multiple logins and manage different personas.

Today at the TechEd Europe conference, in conjunction with the launch of Exchange Server 2010, Microsoft launched Forefront Protection 2010 for Exchange Server.  The product and evaluation software is available now.

Part of our Business Ready Security strategy, Forefront Protection for Exchange (FPE) offers multiple anti-malware engines for 38 times faster detection than single engine solutions, and 99% guaranteed spam protection with only one in 250,000 spam false positives.  Customers also have the choice of using the hosted Forefront Online Protection for Exchange service, or both offerings together for defense-in-depth.

Like all of our Forefront solutions, FPE is designed to help companies balance the needs of business with security requirements.  Email is an extremely critical application, of course, and it presents challenges to both businesspeople and IT managers.  Employees (and non-employees) needs secure access to messaging and documents from anywhere, as well as a spam-free inbox and protection from malware.  On the other hand, IT must manage multiple sites and devices, ensure information protection and compliance, and ward off financially-motivated threats.

Combined with Exchange 2010 and other Microsoft identity and security technologies, FPE is part of Microsoft’s comprehensive solution for secure messaging.  (It’s worth watching a video presentation on the whole solution here, in fact.)

A reminder from the Forefront Server Security blog.

As we announced on July 1, 2009, Microsoft is revising its engine mix on Dec. 1, 2009 for the Forefront and Antigen products.  This change will allow customers to utilize a set of engines that help optimize detection, while also allowing us to invest in new areas for increasing overall protection for customers. 

Antimalware Protection

The AhnLab, CA, and Sophos engines will be retired on Dec. 1, 2009.  After December 1^st, customers will not receive any updates for these retired engines. In order to make sure your Antigen and Forefront products continue to scan efficiently and effectively for malware, any customers running the AhnLab, CA, or Sophos engines must DISABLE these engines before Dec. 1, 2009 and select from the new set of five engines – Authentium, Kaspersky, Microsoft, Norman, and VirusBuster.

SPECIAL NOTE:  Antigen for SharePoint 8.0 and Antigen for Instant Messaging 8.0 customers – In order to gain access to the new engine set and provide optimal protection for your messaging and collaboration environments, please download the Service Pack 1 releases of these products on the MVLS or VLSC site prior to Dec. 1, 2009.  The updates for the new engine set will use a new update infrastructure as of Dec. 31, 2009 – the Service Pack 1 releases will allow you to continue to receive updates correctly from their new location. 

For more information about Service Pack 1 for Antigen for SharePoint and Antigen for IM, see the following KB article:

http://support.microsoft.com/kb/975850/

-          SPECIAL NOTE:  Antigen for Exchange 8.0 and Antigen for SMTP Gateways 8.0 customers –These products will end of life on Dec. 31, 2009.  Customers must upgrade to Antigen 9.0 SP2 for Exchange before this date, as the product will no longer continue to receive anti-malware updates starting Jan. 1, 2010.   With the retirement of the CA, Sophos, and AhnLab engines on Dec. 1, customers running Antigen for Exchange 8.0 or Antigen SMTP Gateways 8.0 will only be protected by the Norman engine.  For customers who need to continue using this product between Dec. 1, 2009 and the end-of-life date of Dec. 31, 2009, please contact Forefront Contract Administration for access to the revised engine set. 

For more information on upgrading your Antigen for Exchange 8.0 or Antigen for SMTP Gateways 8.0 to Antigen 9.0, see the following KB article:

http://support.microsoft.com/kb/932396/

Antispam Protection

One of the most important changes in our engine revision strategy is moving to the Cloudmark antispam engine*, which provides 99%+ detection rate and less than 1 in 250,000 false positives (West Coast Labs).

The Mail-Filters SpamCure antispam engine will be retired on Dec. 1, 2009. Customers using Antigen products for antispam protection must upgrade to the latest service pack releases listed below BEFORE DEC. 1, 2009 to maintain their antispam defenses.  This is the only way to gain access to the new Cloudmark engine.  The service packs can be accessed on the Microsoft MVLS and VLSC sites:

-          Antigen for Exchange Server with Antigen Spam Manager 9.0 with SP2

-          Antigen for SMTP Gateways with Antigen Spam Manager 9.0 with SP2

For more information on the engine revision strategy, see the Antimalware Engine Notifications and Developments Web page or contact Forefront Contract Administration .  Again, we strongly urge all customers to update to the newest service packs before Dec. 1, 2009 to get the full protection benefits of the Forefront and Antigen server products. 

*Please note:  Customers using Forefront Security for Exchange Server will get access to the Cloudmark engine in the next version release – Forefront Protection 2010 for Exchange Server – scheduled to be available in Q4 CY09. 

Brita Jenquin

Sr. Product Manager

If you are a Twitter fan, be sure to follow us at http://twitter.com/MS_Forefront !  Our own John "JG" Chirapurath, senior director in the MSFT Identity and Security Business Group, is leading the Forefront Tweet charge in his typically pithy way.  Come join the conversation about all things identity and security.   

Joel Sider