What MS solution for OWA over HTTPS upload scanning works with both Ex 2003 and Ex 2010 please?
Most of these are scanned by the major ISP, also, that's something which needs to be managed on the client side. Even if one was to get through, im sure' FPE or your desktop AV will pick it up.Sukh
February 25th, 2012 12:01am
You're looking for a solution where it needs to be handled at the client side, this then has to be done at the client side or when the attachment is being attached. Exchange/FPE can't help here.
Exchange/FPE will kick in when the message hits the transport layer on the server.
Unless you have something like an Edge in the DMZ, which screens before passing to Exchange servers on the LAN.Sukh
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 12:34am
Forefront.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
February 25th, 2012 11:47am
Your best bet is when you get to 2010 you can look into installing a dedicated TMG and edge role on same box. This will act as your permiter reverse proxy gateway to your CAS boxes and will be able to inspect SSL
traffic with edge doing your AV scanning before it hits your CAS.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 12:07pm
Thanks, I think you're right but management want an Ex 2003 solution now.
Anyone know any 3rd party appliances that would do the job?
February 25th, 2012 1:23pm
Thanks. To be more specific, is that Forefront Threat Management Gateway 2010? Even if I only want to use it to scan OWA traffic?
The problem is that we have appliances to scan HTTP traffic but they can do nothing with HTTPS traffic as it's encrypted from client to server.
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 1:37pm
On Sat, 25 Feb 2012 18:15:19 +0000, Alan McGrath wrote:
>
>
>Thanks, I think you're right but management want an Ex 2003 solution now.
>
>Anyone know any 3rd party appliances that would do the job?
Websense.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
February 25th, 2012 1:38pm
Hello,
Some advice needed please.
I need a solution to scan files that users upload as mail attachments using OWA over HTTPS.
What MS solution can I use for Ex 2003 front-ends which will also work as-is, or with minimal changes, when we upgrade to Ex 2010 soon please?
(The HTTPS connection terminates on the front-ends.)
Thanks,
- Alan.
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 1:53pm
What are you trying to scan exactly, for files being uploaded to the OWA servers do you just want to scan it for viruses etc or did you want to do SSL inspection? For just AV scanning you just need Forefront for Exchange loaded on the FrontEnd. If you
want to do SSL inspection to monitor illegitimate url verb requests etc you can go with the TMG. Performing HTTPS inspection is not critical for Exchange unless you want to be more security conscious. I"m not doing it on my CAS, we just do HTTPS inspection
on our money making storefront web farms.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
February 25th, 2012 3:48pm
I want to scan - in real-time - file attachments that users upload when they send messages using OWA in an Internet caf or (worse) at home.
We have Antigen on the Exchange 2003 servers but that scans later. Management wants it done in real time.
But we'll migrate to Exchange 2010 soon so anything new I install now should work with both 2003 and 2010.
Thanks.
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 3:54pm
Most of these are scanned by the major ISP, also, that's something which needs to be managed on the client side. Even if one was to get through, im sure' FPE or your desktop AV will pick it up.Sukh
February 25th, 2012 4:08pm
Well yeah sure we have multi-level scanning but that's not what management want ...
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 4:10pm
You're looking for a solution where it needs to be handled at the client side, this then has to be done at the client side or when the attachment is being attached. Exchange/FPE can't help here.
Exchange/FPE will kick in when the message hits the transport layer on the server.
Unless you have something like an Edge in the DMZ, which screens before passing to Exchange servers on the LAN.Sukh
February 25th, 2012 4:42pm
Your best bet is when you get to 2010 you can look into installing a dedicated TMG and edge role on same box. This will act as your permiter reverse proxy gateway to your CAS boxes and will be able to inspect SSL
traffic with edge doing your AV scanning before it hits your CAS.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 7:58pm
Hi Alan,
Do you mean RPC over HTTP (which is also known as Outlook Anywhere)? This feature provides a connection to Exchange server for external users with Outlook clients. It is different from VPN connection. Outlook can connect to Exchange through the
Internet by using remote procedure call (RPC) over HTTP.
Http(S) just perform the data transmit task, the security scanning of attachments within email message still remans in the Excange server side.
Outlook Anywhere does not require additional security scanning.
Refer to:
Use Outlook Anywhere to connect to your Exchange server without VPN
http://office.microsoft.com/en-us/outlook-help/use-outlook-anywhere-to-connect-to-your-exchange-server-without-vpn-HP010102444.aspx
Understanding Outlook Anywhere
http://technet.microsoft.com/en-us/library/bb123741.aspx
Understanding Security for Outlook Anywhere
http://technet.microsoft.com/en-us/library/bb430792.aspx
Fiona Liao
TechNet Community Support
February 25th, 2012 10:04pm