Protecting your Exchange servers


Applies to: Forefront Protection for Exchange

A multi-layered approach to server protection provides improved security for any organization that uses Microsoft® Exchange Server messaging. To ensure comprehensive protection, Microsoft Forefront Protection 2010 for Exchange Server (FPE) can be deployed on Exchange Edge Transport, Hub Transport, Mailbox server, or combined Hub/Mailbox roles. For some organizations, scanning at the Edge Transport and Hub Transport servers may be sufficient and appropriate to address their security needs and mail flow requirements. For others, it may make sense to also add Mailbox server scanning as part of their antimalware, filtering, and antispam scanning strategy.

Developing an effective scanning strategy

To effectively manage your organization’s messaging goals of achieving maximum protection and optimum server performance, your scanning strategy must consider the server role architecture. While Exchange Server lets you configure multiple server roles on a single server, some FPE protection technologies are available only on a specific role. For example, antispam protection is available when you install FPE on an Exchange Edge, Hub, or combined Hub/Mailbox role, but not when it is installed on a Mailbox role. For more information about server roles you can see the Overview of Exchange 2010 Server Roles (

As a first line of defense, FPE can be installed on the Edge Transport and Hub Transport servers to provide antimalware and antispam scanning of messages as they enter or exit the messaging domain. FPE can also be installed on Mailbox servers to provide scanning for messages that are not scanned in transport and to provide additional scanning during malware outbreaks, as shown in the following image.

mailflow 6

Scanning one time for maximum performance

By scanning at the edge transport and routing servers, malware is detected before it arrives at the Exchange Mailbox server, which reduces the need for mailbox database scanning. This approach decreases the scanning load on individual servers and increases system performance, without compromising protection.

FPE takes advantage of the Microsoft Exchange antimalware stamp to prevent e-mail messages scanned by one Exchange server from being scanned again by a different Exchange server in the same organization. To identify mail already scanned, an antimalware header stamp is written to each e-mail message when it is first scanned at the Edge Transport or Hub Transport server. Scanning operations that occur later (for example, at the Hub Transport server or mailbox database for incoming mail) check for this stamp, and if present, the mail is not scanned again.

The antimalware stamp is central to reducing the scanning load on Exchange servers in your organization and increasing the overall performance of your mail system. The antimalware stamp identifies the mail and is used to minimize duplicate scanning on additional Exchange server roles.

To best use the scan-one-time capability, all Exchange transport server roles should be configured to use the same scan engines and scanning settings at all transport points (Hub Transport and Edge Transport servers). This ensures that mail is scanned using the same antimalware engines and configurations to provide consistent security, regardless of where a message enters your organization.

By having FPE ready to start with scheduled or on-demand scans, you can establish operational procedures to prepare for malware outbreaks that may occur in the future. Some administrators may also want to run regular, incremental, scheduled scans on a daily or nightly basis to scan only the most recently received mail with the latest antimalware definitions.

How the antimalware stamp works

Before Exchange places an antimalware stamp on a message:

  • The message must be scanned by FPE with at least one engine. The stamp cannot be used in a mixed antimalware vendor deployment, because Exchange does not trust a message stamped by any other messaging solution.

  • Either no malware must be found, or if found, it must be cleaned or deleted.

  • If the message is updated, FPE must successfully write the updated message back to Exchange.

The antimalware stamp is reliable. The Exchange Edge Transport or Hub Transport server strips off any unrecognized, existing stamp on inbound (Internet) or outbound mail.

See Also


Understanding antimalware scanning
About antimalware protection levels
About mailbox database scanning