locked
How to design Exchange for migraton to FOPE in 12 months? RRS feed

  • Question

  • We are finalizing a migration to Exchange which will complete in a few weeks. We currently use a 3rd-party online anti-virus/anti-spam competitor of FOPE and our contract runs for 12 more months. At the end of that time, we plan to switch to FOPE. Until that time, what products do we need to run on which server roles to ensure good message hygiene for both external and internal messages?

    I'm guessing we can't use FOPE since we have another party providing those services, but we also don't seem to want FPE, or at least not all of its features since we have an online provider of many of them.

    Are we looking at something iike running FPE on all systems now, but disabling the redundant features at the edge, then perhaps switching to FOPE at the edge in 12 months but continuing with FPE for message stream scanning of internal communication?

    Please forgive my conceptual weakness on the subject. I am hoping for someone to be able to point me in the right direction and I will then dig into the documentation and have a better idea of what terminology to search for in these forums, and how to integrate Forefront into our system design.

    Friday, July 15, 2011 2:46 AM

All replies

  • Hi,

    You should use FPE to protect internal messages and protect the information store from malware coming over OWA or Outlook Anywhere, because these services use HTTP and so FOPE can't inspect them. To decrease the load on the servers you should disable all redundand services like antispam. As emails are allready scanned by FOPE you can active in FPE the option to not scan the emails coming from FOPE twice, which decreases the load again.

    Greetings

    Christian


    Christian Groebner MVP Forefront
    Friday, July 15, 2011 7:16 AM
  • That is helpful information especially the part about how FOPE does not scan https, but are you taking into account that we will not be running FOPE for the next 12 months?

     

    I take it from your assistance that we should definitely be running FPE internally, but on which systems? We have 2 hub/cas combined role servers and 2 mailbox severs. Run FPE on the hub/cas only, or on hub/cas and mailbox?

     

    Also, since we have a 3rd party handling anti-spam/anti-virus for our external smtp, is it therefore safe to run no additional message hygiene / security software on our edge transport?

    Friday, July 15, 2011 10:16 PM
  • Hi,

    it doesn't matter if you run FOPE or any other external filtering service. In any case you should run FPE on your internal servers to protect them against malware coming through OWA or Outlook Anywhere, which can't be inspected because it comes over HTTP. When you use FOPE you have the advantage that you can configure that emails already scanned by FOPE will be skipped for another malware scan by FPE, which decreases the load on your servers.

    Personally I would install FPE on each server. The mailbox servers need it because of running a scheduled scan and protecting the information store agains malware coming through OWA and Outlook Anywhere. It depends on your security concept if you install FPE on your hub transport or edge servers. What you definitly can disable is the antispam feature of FPE because FOPE does this already and FPE won't find any spam in the emails sent from FOPE.

    Greetings

    Christian


    Christian Groebner MVP Forefront
    Monday, July 18, 2011 7:28 AM