Forefront Team Blog

Required update for all AD RMS customers

Forefront Blogger — Tue, 09 Feb 2010 11:25:00 GMT

Important information for Active Directory Rights Management Services (AD RMS) customers!

Today Microsoft is releasing an update to AD RMS to completely remove the “application manifest expiry” feature. This update is particularly important for AD RMS customers using Internet Explorer, because the certificate for the RMA add-in for Internet Explorer will expire on February 22^nd. The RMA add-in for Internet Explorer allows users to view content with restricted permission in Internet Explorer. It is critical that these customers install the update before then, in order to avoid any issues accessing or protecting web-based content.

If AD RMS customers using IE do not install the update before February 22^nd, they will not be able to create or access protected content when using the following applications:

Outlook Web Access 2000, 2003, 2007
Word, Excel, Powerpoint web viewers
Any web-based application with protected content

All customers with client or server apps that use AD RMS will need to install the update as soon as possible. This update is available on Windows Update and here for Windows 7, Windows XP, Windows Server 2003, Windows Server 2008 R2. The update for Windows Vista and Windows Server 2008 is available for download here and will be available via Windows Update by Feb 23.

Once this update is applied and the manifest expiry feature is removed, the AD RMS aware applications (including Internet Explorer) will no longer need to renew their manifests. This will eliminate the possibility of manifest expiration. The change will be effective for both new as well as existing RMS products. Applications will still need to have a manifest and RMS Partner ISVs will still need to have a Microsoft issued production certificate for creating that manifest.

Application manifest expiry was a legacy feature in the original product that was intended to allow for more granular control of the applications that can access RMS protected content. The functionality this feature provided has since been subsumed by other features in AD RMS, such as Application Exclusion as well as Windows Software Restrictions Policies, which allow for controlling what applications can run in your enterprise. This approach puts the control in the hands of our customers and is therefore preferable to the original design. As a result of this update to the software, the application manifest expiry feature will no longer be required.

We're listening: Sending support requests from FOPE

Forefront Blogger — Tue, 02 Feb 2010 19:47:00 GMT

With the new 10.1 version of Forefront Online Protection for Exchange (FOPE) customers can submit technical support requests directly from the FOPE Admin Center site.

Support requests are typically responded to in less than 24 hours, depending on severity level. For details, see the New Features Guide and the 10.1 Admin Center Guide.

Customers have three ways of contacting support:

1. A “Get Help Now” link to the Microsoft Support request site now appears in the Administration Center on both the “Resources” page and the shortcut menu underneath authorized users’ logon names.

· This link will lead to the Microsoft Support home page. Here, authorized users can complete and submit support requests.

· Customers can also track the progress of all submitted support requests through “View Incidents” Link.

2. Telephone: For emergency or urgent support requests requiring faster turnaround. In the United States and Canada, call toll-free (866) 291-7726 or dial direct (204) 927-2299. Outside the United States, call the Universal International Free phone Number 800-0000-0060. Additional international support phone numbers are listed in the Resources tab of the administrative console.

3. Microsoft Premier Support: This service is for Microsoft Premier Support subscribers only and the process remains unchanged for premier customers. For more information about accessing Premier Support, go to the Microsoft https://premier.microsoft.com .”

Windows IT Pro mag on TMG: "A winner."

Forefront Blogger — Fri, 29 Jan 2010 00:04:00 GMT

Windows IT Pro magazine's Russell Smith posted a positive, in-depth overview of Forefront Threat Management Gateway 2010, called "Quickly Respond to Threats with Forefront TMG."

The article's intro:

Microsoft Forefront Threat Management Gateway (TMG) 2010 offers a dynamic response to security threats, providing a variety of security technologies such as anti-malware, firewall, and intrusion detection under one umbrella....

Forefront TMG Will Be a Winner
ISA has always provided the most complete protection for Microsoft products, and Forefront TMG builds on that foundation. Sys admins will warm to the improvements on the usability front from the outset, such as setup wizards and support for Server 2008’s NAP.

Softpedia interview with MSFT's Tony Trivison on RMS and data protection.

Forefront Blogger — Mon, 25 Jan 2010 21:38:00 GMT

Tech site Softpedia posted a great Q&A with Tony Trivison on the MS RMS team about how Active Directory Rights Management Services can help companies protect their sensitive data.

Here's Softpedia's intro below, but read the whole piece for the real scoop.

The beauty of Active Directory Rights Management Services is the way it spans across a range of Microsoft products. Companies that leverage the Windows client, Windows Server, and the Office productivity suite, but also Exchange Server 2010 can also seamlessly take advantage of AD RMS in order to ensure that their data is safeguarded. Of course Windows Server is the core component, which provides Active Directory and the associated Rights Management capabilities.

With AD RMS, Microsoft is tending to the needs of companies that regard information protection as a security priority. Whether it comes down to mobile and remote worker scenarios, or whether contractors or other unauthorized users have to be kept from accessing sensitive files, or in the eventuality of leaks and data breaches, or simply to protect innovation and intellectual property, the software giant has worked to provide customers with a solution. Of course, AD RMS is only a part of the company’s information protection technology vision, but a key aspect which should be strongly considered by firms looking to protect sensitive information.

Microsoft’s latest product releases, from the second half of 2009, or scheduled to be launched in H1 2010, including Windows Server 2008 R2, Windows 7, and Office 2010 are all designed to let customers benefit from the evolution of AD RMS. I had the chance to send a few questions to Tony Trivison, an exceptional source of insight into Active Directory Rights Management Services, particularly via the AD RMS team blog.

F5 Solution Optimizes Microsoft Forefront Unified Access Gateway 2010

Forefront Blogger — Tue, 05 Jan 2010 22:49:00 GMT

F5 Networks just announced availability of a new Application Ready Solution that provides high availability, improved performance and scalability for UAG.

The F5 Application Ready Solution for Microsoft Forefront UAG 2010 helps enterprise customers scale their UAG 2010 deployments. F5 delivers application-level optimization for servers hosting these remote access technologies.

"F5 is pleased to announce availability of the Application Ready Solution for Microsoft Forefront Unified Access Gateway 2010," said Calvin Rowland, VP of Application Partner Programs at F5. "As the mobile workforce grows, so does the need for organizations to deploy highly available and scalable remote access technologies to deliver business-critical applications to those users. With this addition to F5's extensive Application Ready Solution portfolio, we continue to demonstrate our deep and ongoing commitment to early solution design and qualification with Microsoft, ensuring that F5 solutions are available to customers at the same time that Microsoft products are delivered."

Deployment guidance for F5 and Microsoft solutions is located online at http://www.f5.com/solutions/applications/microsoft/.

Forefront Unified Access Gateway 2010 unleashed

Forefront Blogger — Fri, 18 Dec 2009 17:53:00 GMT

As previewed earlier this month, Forefront Unified Access Gateway (UAG) 2010 has been released to manufacturing. The evaluation software is now available here.

Part of our Business Ready Strategy, Forefront UAG enables organizations to give employees (and trusted partners and vendors) secure remote access to corporate resources. With its focus on application intelligence and granular access control, UAG is an ideal solution all of your remote access needs that provides centralized management and policy control across all users, devices, and network resources.

Building on its predecessor, Intelligent Application Gateway, UAG enables remote access via managed and unmanaged PCs and mobile devices. It integrates a deep understanding of applications, the health state of end user devices, and the user’s identity for greater security and reduced management costs.

While UAG provides a variety of connectivity options, such web publishing and SSL VPN tunnels, one of the best new features is UAG’s support and enhancements for Windows DirectAccess (DA). DA is the future of remote access allowing for seamless, always-on connectivity. Always-on keeps users happy as they are continually productive, but it also keeps administrators content as users are “always-managed.” UAG helps make DA deployments simpler, more extensible and easier to scale

The Solution Accelerator team has released a new guide for UAG which outlines the critical infrastructure design elements that are key to the successful implementation. Use this guide to shorten your Forefront UAG infrastructure planning and deployment time!

· Download the IPD Guide for Microsoft Forefront Unified Access Gateway.

· Visit the Forefront Unified Access Gateway page on TechNet to learn more.

VB100 for FCS and MSE

Forefront Blogger — Mon, 14 Dec 2009 21:26:00 GMT

Forefront Client Security received its 11th consecutive VB100 award for the December 2009 Edition of Virus Bulletin. Microsoft Security Essentials for consumers received its first VB100 award for its very first submission. In order to be awarded the VB100, a product must detect 100% of the "WildList" malware samples and not have any false positives on the Virus Bulletin clean file collection.

Details on the Forefront results are here (free registration required.)

Forefront Protection for Exchange white papers galore

Forefront Blogger — Fri, 11 Dec 2009 22:38:00 GMT

We've published the following white papers for deploying and managing the new Forefront Protection 2010 for Exchange.

Forefront Protection 2010 for Exchange Server Antispam Framework
This white paper discusses the new e-mail hygiene protection features available in the Forefront Protection for Exchange Server 2010 (FPE 2010), illustrates functionality available for protecting Exchange Server deployments at the FPE 2010 RTM time, and outlines integration with Exchange server features contributing to the Forefront antispam solution.
Forefront Protection 2010 For Exchange Server Antispam FAQ
Read this white paper to get answers to antispam questions related to Forefront Protection 2010 for Exchange Server.
Forefront Protection 2010 for Exchange Server
Read this white paper to learn how the Forefront Management Shell provides a fully scriptable interface into Forefront Protection 2010 for Exchange Server (FPE 2010). The FPE 2010 administrator console is implemented on top of the PowerShell interface, providing assurance that all functionality provided in the console is also implemented within PowerShell.
Forefront Protection 2010 for Exchange Server Scan Actions and Sequence
This white paper provides insight into the multi-engine antimalware scanning options, as well as the Forefront Protection 2010 for Exchange Server process sequence for malware scanning and filtering. Administrators can leverage this knowledge to maintain a secure and sophisticated messaging system.
Monitoring Forefront Protection 2010 for Exchange Server
Read this white paper to learn about changes to the different types of feedback and data provided by Forefront Protection 2010 for Exchange Server including new dashboard with health monitor, incident and quarantine records, expanded performance counters and e-mail notification improvements.

Microsoft to acquire Sentillion for improved healthcare through streamlined identity and access

Forefront Blogger — Thu, 10 Dec 2009 17:20:00 GMT

Today Microsoft's Health Solutions Group announced the acquisition of Sentillion, a company based in Andover, MA which provides healthcare industry solutions for context management, user provisioning and single sign-on (SSO).

The primary goal of the acquisition is to make it easier for healthcare professionals to deliver better patient care by streamlining access to multiple IT applications and patient data. By combining Sentillion’s technologies with Microsoft Amalga UIS, Microsoft aims to give clinicians new insight about patients in real time and enable them to perform the appropriate task with unprecedented speed.

This ties to our efforts in identity & access management - part of the Business Ready Security strategy - to deliver capabilities in the Active Directory platform, and through next-generation products, such as the Microsoft Forefront Identity Manager 2010.

The acquisition brings complementary assets to Microsoft in the areas of single sign-on (SSO), user provisioning and context management that are focused on the healthcare industry. As we integrate Sentillion into Microsoft in the coming months, we will further explore synergies with Microsoft’s identity and access management solutions, such as our Forefront products.

Dark Reading, customers and analysts on TMG

Forefront Blogger — Mon, 07 Dec 2009 21:17:00 GMT

Leading security news site Dark Reading reports on the release of Forefront Threat Management Gateway - including some insightful quotes:

Analyst Rob Enderle: "By focusing on the employee, Microsoft is beginning to address what I believe are some of the most vulnerable parts of the current enterprise. With this, Microsoft is beginning to transition from a company trying to catch up to the market to one that is trying to lead it."

Analyst Chenxi Wang, principal analyst for security and risk management at Forrester. "This is a major step up from what ISA could do in securing Web access. If Microsoft wants to play more in the enterprise security game, it needs to add more functionality to it, and they did in this release."

Customer George Podolak of Architectural firm Pei Cobb Freed & Partners, a TMG customer, uses the gateway to protect both its end users and the business from malware when its users visit social networking or other sites. "I'm not against Facebook [and we allow our users to access it], but when you're using it, we don't want you to wander off to a malware site."

David Cross on TMG

Forefront Blogger — Fri, 04 Dec 2009 18:51:00 GMT

For more about Forefront Threat Management Gateway 2010, check out David Cross' blog on the Microsoft Because It's Everybody's Business site. As product unit manager, David oversaw the development and release of TMG. He discussed the solution in-depth in a TechNet Edge video here, too.

And there's a good Edge video here about migrating from ISA 2006 to TMG.

TechNet Edge video: Forefront TMG URL filtering with MRS

Forefront Blogger — Thu, 03 Dec 2009 20:24:54 GMT

Bill Jensen, PM for TMG, dives deep into the new Microsoft Reputation Services (MRS) which is what powers the URL Filtering capabilities of Forefront Threat Management Gateway. We spend most of the time on the whiteboard explaining how it works, how it is different from the competition, and also give a demo of how the feedback mechanism works inside of TMG.

New Forefront enterprise security solutions for safe, productive web surfing and remote access

Forefront Blogger — Thu, 03 Dec 2009 09:00:00 GMT

Following the last month’s launch of Forefront Protection for Exchange, today we are announcing more progress for our Business Ready Security strategy with the release of two new solutions: Forefront Threat Management Gateway 2010 (TMG) and Forefront Unified Access Gateway 2010 (UAG.)

These solutions address two key endpoint security challenges. TMG, available for evaluation and purchase now, helps companies provide safe employee web browsing. UAG, which will release to manufacturing in mid December and be generally available shortly thereafter, enables organizations to give employees (and trusted partners and vendors) secure remote access to corporate resources.

Forefront Threat Management Gateway 2010

Today’s information workers require web access to do their jobs, but web-based threats continue to rise. For example, the recent Microsoft Security Intelligence Report indicated that phishing rose significantly in the first half of 2009, quadrupling in May, and that social networking sites accounted for 76% of all phishing impressions. Securing web use is traditionally challenging for security administrators. Multiple products and vendors create high costs and management difficulty through “security sprawl.”

TMG is a secure web gateway that enables safe employee web use through comprehensive protection against malware, malicious web sites and vulnerabilities. Building on its predecessor, ISA Server 2006, TMG provides new URL filtering, anti-malware, and intrusion-prevention technologies to protect businesses against the latest web-based threats. These technologies are integrated with core network protection features such as firewall and VPN to create a unified, easy-to-manage gateway.

One of the most exciting features of TMG is its use of Microsoft Reputation Services – a new cloud-based system hosted by Microsoft which maintains a centralized database of 45 million (and growing!) web domains and billions of web pages to help customers identify and block malicious web sites. It pulls data from multiple sources, such as Hotmail, the same technology that powers SmartScreen in Internet Explorer 8, the Windows Live Security Platform, and more than 10 partners, such as Brightcloud, M8e6 and FutureSoft. The TMG/ISA blog provides a great overview of TMG and its URL filtering capabilities.

Forefront Unified Access Gateway 2010

Building on its predecessor, Intelligent Application Gateway, UAG enables remote access via managed and unmanaged PCs and mobile devices. Integrating a deep understanding of applications, the health state of end user devices, and the user’s identity – UAG enforces granular access controls, ensures security, and reduces management costs and complexity.

While UAG provides a variety of connectivity options such web publishing and SSL VPN tunnels, one of the best new features is UAG’s support and enhancements for Windows DirectAccess (DA). DA is the future of remote access allowing for seamless, always-on connectivity. Always-on keeps users happy as they are continually productive, but it also keeps administrators content as users are “always-managed.” UAG helps make DA deployments simpler, more extensible and easier to scale.

Follow Forefront on Twitter

Forefront Blogger — Mon, 30 Nov 2009 19:11:00 GMT

If you are a Twitter fan, be sure to follow us at http://twitter.com/MS_Forefront ! Our own John "JG" Chirapurath, senior director in the MSFT Identity and Security Business Group, is leading the Forefront Tweet charge in his typically pithy way. Come join the conversation about all things identity and security.

Joel Sider

New release of Forefront Online Protection for Exchange

Forefront Blogger — Fri, 20 Nov 2009 19:46:00 GMT

This week we released an update to Forefront Online Protection for Exchange (FOPE) - our hosted service providing anti-malware and anti-spam for both on-premises Exchange and Exchange Online. FOPE can be used as an alternative to the new Forefront Protection 2010 for Exchange Server, or in tandem with it for messaging defense-in-depth.

The new release of Forefront Online Protection for Exchange offers enhanced policy control capabilities (such as enhanced regular expressions support, custom dictionaries) for IT admins to more effectively adhere to compliance needs. In addition, it supports advanced globalization/localization by supporting 13 languages in the Admin Console, in documentation and via telephone support. These enhancements were a direct result of feedback from Forefront Online Protection for Exchange customers, who expressed a need for more options when they created custom company policy rules for filtering, and more flexibility to manage these rules.

Additional enhancements with the new release:

· Policy rule syntax options: The new release provides the option to use either a basic syntax, which is a mixture of comma-separated values (CSV) and simple string-wildcard syntax or Regular Expressions.

· New Policy Rules e-mail header match option: FOPE now allows you to match e-mails based on e-mail header name and value.

· More flexibility for outbound forced TLS rules: The Policy Rules editor now offers a check box to enable Opportunistic TLS for recipients not specifically identified by the policy rule. Custom policy rules filters now feature the following enhancements:

The ability to upload dictionaries of custom-created lists or content for use in policy rules

The ability to apply the dictionaries across multiple rules and domains