Hi,

As you know, exposing a federation server proxy on the extranet will make the client logon Web form accessible by anyone with Internet access. This can potentially leave your organization vulnerable to some password-based attacks, such as dictionary or brute force attacks that can trigger account lockouts for those user accounts that are stored in the corporate Active Directory directory service.

A way to protect you corporate Active Directory is to add a second factor to the authentication. This can be costly. The case study of today is to add the ReCaptcha plugin into the AD FS Proxy Web Authentication Form in order to protect against robots that can try to attack your web form.

Very easy integration with ASP.net

• Download the ReCaptcha dll from and copy the dll into a bin/Release folder in the adfs/ls web site
• Open the ADFS Web Site with Visual Studio and add a reference to this new dll :

• Open the FormSignIn.aspx.cs file, and add the following line :

//------------------------------------------------------------
// Copyright (c) Microsoft Corporation.  All rights reserved.
//------------------------------------------------------------

using System;

using Microsoft.IdentityServer.Web;
using Microsoft.IdentityServer.Web.UI;
using Recaptcha;

• Open the FormSingIn.aspx file, and add the following line :

<asp:TextBox runat="server" ID="PasswordTextBox" TextMode="Password" ></asp:TextBox>           
    </td>
    <td>&nbsp;</td>
</tr>
<tr><td colspan="3"> <script type="text/javascript" src="https://www.google.com/recaptcha/api/challenge?k=public key"> </script>
<noscript><iframe src="https://www.google.com/recaptcha/api/noscript?k=public key" height="300" width="500" frameborder="0"></iframe>
<br><textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea>
<input type="hidden" name="recaptcha_response_field" value="manual_challenge"></noscript></td></tr>

where your public key and your private key are the key that ReCaptcha provides during your signin.

With a little customization, your Web Form Page should know look like this one :

Now, we have to get the result of the challenge, and allow the authentication if it’s valid. To do that :

• Open the FormSignIn.aspx.cs file, and add the following line in the SubmitButton_Click procedure :

RecaptchaValidator validator = new RecaptchaValidator();
        validator.PrivateKey = "your_private_key";
        validator.RemoteIP = Request.UserHostAddress;
        validator.Response = Request.Form["recaptcha_response_field"];
        validator.Challenge = Request.Form["recaptcha_challenge_field"];
   
        try {
            RecaptchaResponse validationResult = validator.Validate();
            if (validationResult.IsValid)
            {
                SignIn(UsernameTextBox.Text, PasswordTextBox.Text);
            }
            else
            {
                HandleError("Invalid Captcha. Please try again");
            }

Published by Olivier DETILLEUX

Hi All,

A quick post to promote the blog of one of my colleague. You can find very useful use case, code sample, and lot of thing about Federation Services and .Net.

Have a look at : NET, I'm lovin it ! It’s in French, but you can use the Microsoft Translator : http://www.microsofttranslator.com/bv.aspx?from=fr&to=en&a=http://sebastienollivier.fr/blog/

Published by Olivier DETILLEUX

Hi All,

Last year, I have deal with the Federation of Jive with AD FS. Not really difficult, but there are things you need to know.

Let assume that you already have an AD FS Server deployed.

Since jive 5.0.1 update, it is necessary to force end to end HTTPs encryption. The Jive documentation is available: Jive 5.0 but here are the principal steps :

• Get the public key (X509 certificate) of your public domain certificate and save the file as jive.crt
• Get the private key of your public domain certificate and save the file as jive.pfx
• Extract the private key of the .pfx file
• Import Jive Certificate into the SSL Keystore
• Enable SSL in /etc/jive/conf/jive-httpd
• Configure the connection scheme in /usr/local/jive/applications/sbs/conf/server.xml file
• Restart the Jive services
• Configure SSL in the /usr/local/jive/etc/httpd/sites/default.conf and restart the HTTPd service

After that, you can access your Jive Community Portal through HTTPs

Next Step, configure Jive to allow SAML authentication.

Open the People\Advanced configuration page, and provide the Federation Metadata URL of your ADFS Server.

If you want to provision user information automatically in Jive, you can add some claims type. For example :

Here is what it would look like

Next Step, the configuration on the AD FS Server side.

• Add a new Relyinig Party Trust, and provide the Jive Federation Metadata URL. This url should be something like that : https://yourdomain/saml/metadata
• Create Claims Rule to pass claims to Jive. The important claims to pass to Jive is the Name ID. Here is the custom rule I have write to send domain-user to Jive as the NameIdentifier.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${domain}-${user}"), ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = http://schemas.xmlsoap.org/claims/CommonName);

• Here is the custom rule I have write to send all the expected claims value. Just a quick search in Active Directory.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/title", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department"), query = ";mail,sn,givenName,userPrincipalName, title, streetaddress, homephone, mobile, telephonenumber, co, department;{0}", param = c.Value);

And that’s it.

Troubleshooting

You can enable detailed log during authentication in Jive. This is in the Advanced Tab of SAML Authentication. If there is an issue during SAML authentication , you will see an error message like the following.

An error occured while attempting authentication through single sign on
The error could be related to a misconfiguration from the Jive end or from the user authority. Debug information is available below:
- Checking child metadata provider for entity descriptor with entity ID: https://community.yourdomain.net
[…]
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
               <ds:DigestValue>NAJSc1UvIaVG3nm1LJSLmCEEJbw=</ds:DigestValue>
            </ds:Reference>
[…]
         </KeyInfo>
      </ds:Signature>
      <Subject>
         <NameID Format="http://schemas.xmlsoap.org/claims/CommonName">EMEA-TMP-malikah.kelly</NameID>
         <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData InResponseTo="a485g08eaicifhd325c7c2bdf64j43g" NotOnOrAfter="2011-12-13T14:05:42.672Z" Recipient="https://community.yourdomain.net/saml/sso"/>
         </SubjectConfirmation>
      </Subject>
      <Conditions NotBefore="2011-12-13T13:58:42.667Z" NotOnOrAfter="2011-12-13T14:58:42.667Z">
         <AudienceRestriction>
            <Audience>https://community.yourdomain.net</Audience>
         </AudienceRestriction>
      </Conditions>
      <AttributeStatement>
        <Attribute xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" a:OriginalIssuer=http://emea.yourdomain.net/adfs/services/trust>
[…]
- Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
- Signature validated with key from supplied credential
- Signature validation using candidate credential was successful
- Successfully verified signature using KeyInfo-derived credential
- Attempting to establish trust of KeyInfo-derived credential
- Successfully validated untrusted credential against trusted key
- Successfully established trust of KeyInfo-derived credential
- Authentication statement is too old to be used
- There was an error during SAML authentication
org.springframework.security.authentication.CredentialsExpiredException: Users authentication data is too old
        at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAuthenticationStatement(WebSSOProfileConsumerImpl.java:402)
        at […]
        at java.lang.Thread.run(Thread.java:662)

Common issue I have deal with :

• Users authentication data is too old : Check that time is well sync between Jive and AD FS. If you are experiencing this issue a lot of time, try to update the NotBeforeSkew
• Some claims value expected are empty : check that in your Active Directory, all required attributes are not empty

Published by Olivier DETILLEUX

Hi All,

Long time I haven’t published an article in my blog. Sorry for that, but since the beginning of September, I am an happy Dad, and it is consuming a lot of time

First of all, I want to wish all of you an Happy New Year !

This year, I will focus on Cloud Security, and Identity Management in the Cloud. I have already started that with some articles about Federation Services. We will go deeper in that, and that will be very exciting.

Published by Olivier DETILLEUX

Bonjour à tous,

Cette année encore, j’aurai le plaisir de coanimer une session aux TechDays 2012 avec Nicolas Lieutenant.

Soyez au cœur de l’innovation

Véritable plateforme de rencontres et d’échanges autour des solutions informatiques professionnelles, les Microsoft TechDays rassemblent chaque année 17 000 visiteurs autour de 300 conférences, 3 plénières et 140 exposants sur 5 500 m².

L'objectif de notre session est de présenter les briques de sécurité qui peuvent être mises en oeuvre pour sécuriser votre messagerie Microsoft Exchange Online. A travers une présentation de la Messagerie Online d'Office 365, nous aborderons les sujets suivants : - Mise en oeuvre et sécurisation de la fédération d'identité avec AD FS 2.0 Update 1 - Protection de vos échanges et de vos documents avec S/MIME et AD RMS - Mise en oeuvre de l'authentification forte avec SA Server de Gemalto et le proxy ADFS.

Publié par Olivier DETILLEUX

Au redémarrage du serveur TMG, on constate un temps important (environ 16 minutes) avant que TMG ne soit pleinement opérationnel.

Au sein de l’observateur d’évènements (Windows Logs –> System), on remarque cette erreur :

L’erreur a l’Event ID : 7022

Cette erreur est du à une mauvaise dépendances du démarrage des services entre eux, qui amène alors un timeout de 16 minutes avant que le serveur ne soit opérationnel.

Ce problème peut être résolu via les actions suivantes :

1. Au sein du registre, naviguez vers HKLM\CurrentControlSet\Services\HTTP créer une nouvelle Multi-string value que vous nommerez DependOnService et qui aura comme valeur CRYPTSVC 
2. Au sein d’un cmd ouvert avec les privilèges administrateur :

sc config isactrl depend= RasMan/SSTPSVC/FwEng/ISASTG/bfe/mpssvc/HTTP/KeyIso

Rebooter ensuite le serveur et tout devrait rentrer dans l’ordre

Publié par Yann GRAINDORGE

Bonjour, ceci est mon premier article sur ce blog, donc tout d’abord voici quelques mots pour me présenter. Je m’appelle Yann Graindorge, j’ai intégrer la société vNext depuis mai dernier au sein de l’équipe IAM (Identity and Access Management), je serais donc amener à publier sur ce blog.

Suite à de nombreuses installations de TMG et d’UAG, j’ai souvent eut à faire à cette erreur avec TMG, lors du lancement de la console TMG une erreur de script apparait et il devient impossible de se servir de la console:

Il m’a donc semblé bon de partager la façon de résoudre ce soucis qui s’avère très bloquant.

Ce bug est en réalité dû à la présence simultanée sur le serveur de TMG est d’Internet Explorer 9.

Pour Résoudre ce problème il existe 3 façons de procéder différentes :

• Désinstaller IE9

Pour désinstaller proprement IE de votre serveur il faut suivre la procédure suivante :

http://support.microsoft.com/kb/957700/en-us#stepsforwin2008r2

Dans certain cas ceci ne suffit pas à rétablir la situation, je conseille donc d’utiliser plutôt les 2 façons suivantes.

• Editer le fichier de configuration de TMG “TabsHandler.htc”

Ouvrir le fichier suivant "C:\Program Files\Microsoft Forefront Threat Management Gateway\UI_HTMLs\TabsHandler\TabsHandler.htc" avec un éditeur de texte quelconque.
Rechercher toutes les lignes comprenant l’expression "paddingTop", il doit normalement en avoir 3.
Commentez ces 3 lignes en ajoutant “//” au début de chaque ligne, comme montré ci-dessous:

Sauvegardez les modifications et tentez à nouveau de relancer TMG, l’erreur doit avoir disparue:

• Passer les mises à jour TMG

Si vous installez la version RTM de TMG vous devrez être en version 7.0.7734.100

Il faut premièrement passer le SP1 de TMG, disponible ici:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16734

TMG passera alors en version 7.0.8108.200

Il faut ensuite passer l’Update 1 du SP1 de TMG, disponible ici:
http://www.microsoft.com/download/en/details.aspx?id=11445

TMG passera alors en version 7.0.9027.400

Il faut enfin passer le SP2 de TMG, disponible ici:
http://www.microsoft.com/download/en/details.aspx?id=27603

TMG passera alors en version 7.0.9193.500

Tentez de rouvrir la console TMG, celle-ci devrait alors se lancer sans soucis:

Publié par Yann Graindorge

Like me, you certainly want to generate automatically the DisplayName or other information during the creation of a user in the Portal. We have FirstName and LastName, why would we fill the DisplayName ?

If you let the DisplayName empty, after the creation you will see your user as (No DisplayName).

Here is a solution.

First, customize you RCDC for User Creation to not display the DisplayName uocTextBox. We don’t need it anymore.

Then before any other workflow, execute an action workflow that will evaluate the value of the DisplayName. It’s very easy :

• Create a new workflow, and choose a function evaluator workflow
• Provide a name, and specify the attribute you want to populate. In our example : [//Target/DisplayName]
• Then create the value using the concatenation of LastName, “ “, FirstName
• Save and Launch this workflow with a MPR

That’s it. Now, when a user is created in the Portal, DisplayName is automatically generated. Pretty cool isn’t it ?

Published by Olivier DETILLEUX

Hi All,

Found on the Access Onion Blog, AD FS 2.0 Update Rollup 1 is available here : http://support.microsoft.com/kb/2607496/en-us

There are some new great features for Office 365 :

• Multiple Issuer Support
• Client Access Policy Support

In the Client Access Policy Support section, there is a link to a very interesting TechNet Article : Limiting Access to Office 365 Services Based on the Location of the Client

First, there are 5 new context claims type :

• x-ms-forwarded-client-ip
• x-ms-client-application
• x-ms-client-user-agent
• x-ms-proxy
• x-ms-endpoint-absolute-path

What can we do : For example, creating a rule to block all external access to Office 365 except Exchange ActiveSync:

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value=~"customer-provided public ip address regex"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

What does this custom rule means :

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])

The request comes from the Federation Server Proxy.

NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",

Value=~"customer-provided public ip address regex"])

The request comes from an internal user.

NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"])

The request comes from a non ActiveSync Device

issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

Access not allowed

The description of the x-ms-forwarded-client-ip is : This AD FS claim represents a “best attempt” at ascertaining the IP address of the user (for example, the Outlook client) making the request. This claim can contain multiple IP addresses, including the address of every proxy that forwarded the request. This claim is populated from an HTTP header that is currently only set by Exchange Online, which populates the header when passing the authentication request to AD FS. So my understanding is if we want to use those claims without Office 365, we need to correctly populate the header of the HTTP request, and that will be ok. The other think is that it’s only populated from Exchange Online, so during an active request. We must remember that when writing the custom rule.

Here is an example of what we can do :

I have a Claims Aware App, a federation service, and a federation services proxy with Update 1. My asp.net application only show the content of my saml ticket. If I go through the federation proxy, my saml ticket contains the fqdn of the proxy :

If I set a custom Issuance Authorization Rule to deny access for External Users :

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

I got an access denied error message :

Published by Olivier DETILLEUX

The Microsoft Security Intelligence Report is available. You can download it here. It is an in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software in the first half of 2011.

More information about SIR : http://www.microsoft.com/security/sir/default.aspx

Key Findings is also available in your language if you don’t want to read all the report.

A related article about Zeroing In on Malware Propagation Methods provide very interested information about propagation methods.

This article presents a new method for classifying Malware Propagation, because the threat landscape was very different than it is today.

“ These standards were created when widespread public use of the Internet was nonexistent or very limited, and before malware development and propagation were the domain of professional criminals looking for illegitimate profits […] By adding new ways to classify malware and understand how exploitation is measured, security professionals can improve the ways they think and communicate about the threats that modern computer users face ”

It is very interesting to see that 44,8 % of malware detected required User Interaction to propagate themselves.

So, what is a user interaction ?  According to the report :

“A typical example of a user interaction that isn’t considered an installation decision would be a user following a hyperlink on a webpage or in an email message that leads to a page that attempts to use browser vulnerabilities to install malware.”

If you have a look at the Project Board Street Taxonomy, you can see that the easier (no pass through a CVE choice)  and shorter path to introduce a malware is the following :

User Interaction [YES] –> Deception [YES] –> User Intent to Run [YES]

So this is my point :

• We can limit, but never stop User Interaction.
• So, we have to work on “Deception”
• How can a user be fooled ?
• He receives an attractive mail that contains a vulnerability
• The attacker impersonates the CEO to send email across the company
• …

This report was for 0 day Malware Propagation Methods. But it highlights that the user is often responsible for the propagation of a malware.

You can say that it’s common sense, but with an up to date Antimalware Engine (Forefront Endpoint Protection), an up to date Operating System and a good Spam Protection (FPE) we can significantly protect users.

And with a effective strategy of Information Protection (with AD RMS), we can also reduce user deception, and stealing information.

Published by Olivier DETILLEUX

We are happy to announce the availability of Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2). The service pack is available for download from the Microsoft Download Center.

Here are some of the improvements we are introducing in Forefront TMG SP2: 

• Site activity report – Forefront TMG SP2 includes a new site activity report that enables you to generate a report showing the data transfer between users and specific websites. This report displays the amount of data transferred to and from different websites, for any
  period that you specify, per user. In addition, you can also display the total data transfer to and from a specific website, per user.  

• Improved error pages – Forefront TMG SP2 improves the look and feel of web browser error pages and makes it easier to customize the pages. 

• Kerberos authentication for NLB arrays – Forefront TMG SP2 enables you to allow users to authenticate to a Forefront TMG array with Network Load Balancing (NLB) enabled using the Kerberos version 5 protocol.

Visit our TechNet Library for more information.

 - The Forefront TMG Team

We are happy to announce that Update 1 (UP1) for Forefront Unified Access Gateway (UAG) 2010 Service Pack 1 (SP1) was released today. It is now available for download from the Microsoft Download Center as an upgrade from UAG 2010 SP1.

Update 1 enhances UAG’s application publishing scenarios by adding support for:

• Dynamics CRM 2011
• Microsoft Lync 2010 web services
• Office Web Apps with SharePoint 2010

Learn more by visiting our TechNet Library.

- The Forefront UAG Team

If you have seen this Windows Server 8 BUILD session “Enabling the hybrid cloud using remote access appliances”, you know that all new feature of DirectAccess are back in Windows Server. I just want to have an overview of what DirectAccess looks like in Windows Server 8.

First, DirectAccess is a Role : “Remote Access”

You wan deploy both VPN or DirectAccess.

You can choose to deploy Remote Access in a Single Nic configuration. This is very interesting and needs a deeper analyze to see how it is going to work.

After the wizard completion, you will see this new interface :

Another interesting point is the ability to provide DirectAccess to Windows 8 endpoints without IPSEC. Also, needs a deeper analyze. We can see that certainly, Windows 8 DA Connectivity is not the same as within Windows 7. You can active OTP authentication with one click

Perhaps the most important feature : Multisite. With Forefront UAG and Windows 7, there was no easy ways to provide dynamic multisite DirectAccess scenario. We can see this is fully integrated in Windows Server 8. Just enable Multisite (requires IPSEC and no Self-Generated Certificates), and declare Entry Points

This is available for Windows 8 only, or both Windows 7 and 8.

There are 2 new DNS entry. Don’t know the goal for the moment.

When Multisite is activated, a new interface is available, and you can manage each nodes

To summary, this is just a quick overview of what you can find in the new Remote Access Role. We need to go further to understand how all is working. I am very exiting to go technically deeper, but mostly working on new functional scenario. This overview lets me think that DA deployment is now really easy. The Windows Server 8 team works very hard to provide a simple and complete wizard, leaving us doing mostly functional architecture. Thank You !

Published by Olivier DETILLEUX

Hi All,

As you know, the Developer Preview of Windows Server 8 was presented during the Build Conference last week. MSDN Subscribers can download this release. I want to show you if there are some new things in Active Directory (DS, RMS and FS) in this amazing release.

Role installation is quiet similar as it was in Windows Server 2008 R2, except of course the amazing feature that allow you to deploy multiple servers with one PowerShell line ! For more information about that, have a look at this great session : http://channel9.msdn.com/Events/BUILD/BUILD2011/SAC-973F

Active Directory Domain Services

After the installation of the AD DS role, you cannot launch DCPROMO from the cmd line. You have to complete a task : Promote this server as a domain controller.

There is a new DCPROMO wizard :

After the promotion, the version of my schema is 51. I have deployed this new DC in an existing 2K8R2 forest, and I was surprised not to have been asked to prepare domain and schema…

I have find 2 new containers :

• cn=tpm devices
• cn=claims configuration

The last one is for the new Dynamic Access Control feature.

In the GPMC, we have the ability to launch a remote GPupdate to all object in a container

As you certainly know, user have the ability to open a session on their Windows 8 PC with their Windows Live ID. You can denied that, and there are some new GP object for that :

But it seems that there isn’t any relationship between the AD Account and the Live ID account. And no use of ADFS to achieve the authentication. It will be great if we can use AD FS to log on a windows 8 computer, with a specific identity provider (Yahoo, Facebook, Windows Live ID or Google). Perhaps in a next release ?

Anything new in AD Federation Services ?

ADFS 2.x is now included as a role, with all features. I hope this is 2.x features. According to the BUILD conference, this is AD FS 2.1, but we need more information to see what's new in this feature.

Published by Olivier DETILLEUX

Hi All,

Today I want to deal with IRM (Information Rights Management) in Exchange Online.

As you certainly know, you can use your On Premise Active Directory Rights Management Services (AD RMS) to create Rights Policies in Exchange Online.

There are some limitations (only 20 policies, no automatic sync between Online and On Premise), but it’s pretty cool. Have a look :

On your On Premise AD RMS, create a policy rule for your Exchange Online :

In this policy, specify that for example

Then, export your TPD (trusted published domain) to Office 365, using Powershell :

First, connect to Exchange Online :

$LiveCred = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

Then export your TPD :

Import-RMSTrustedPublishingDomain
-FileData $([byte[]](Get-Content -Encoding byte -Path "c:\MyTPD.xml" -ReadCount 0))
-Name "My TPD“
-ExtranetLicensingUrl https://adrms.labiam.com/_wmcs/licensing
-IntranetLicensingUrl https://adrms.labiam.com/_wmcs/licensing

Your TPD is disable (archived) by default. You have to change the state to Distributed:

Set-RMSTemplate -Identity "Office 365" -Type:Distributed

Now, the template is visible in Exchange Online. You have two way to apply this template :

• Directly in a transport rule :

• Or manually in OWA

The result is a mail like the following : You cannot Forward, Edit, or Copy and Paste

" border="0" alt="clip_image002" src="http://myitforum.com/cs2/blogs/forefrontsecurity/clip_image0026_thumb_0F0EEBA2.jpg" width="244" height="142" />

Cool isn’t it ?

Published by Olivier DETILLEUX

We’re pleased to announce the launch of the new Microsoft Server and Cloud Platform website
(http://www.microsoft.com/server-cloud).  

The new site is a comprehensive source for information relating to our private cloud
and virtualization solutions, as well as other solutions based on Windows
Server, System Center, Forefront and related products.  It is designed to
help connect you to relevant information across Microsoft web destinations,
including TechNet, MSDN, Pinpoint and more - making it a great place to
understand what we offer, why you should consider it and how to get started.

Enjoy the new site and stay tuned to the blog for the latest Server & Cloud
Platform updates!

Hi All,

Hicham has already told about “How to authenticate to your network through your online credentials” : http://myitforum.com/cs2/blogs/forefrontsecurity/archive/2011/08/05/authenticating-to-your-network-through-your-online-credentials.aspx

Let’s talk today, how you can very easily authenticate on your .Net Claims Aware Application with your Facebook Account.

First you have to create / initialize your Windows Azure AppFabric Service Bus, and ACS. I don’t want to go deeper in that subject, I am not very relevant with those technologies. But I can use them. For more informations (in french), here is a great Techdays 2011 session by Arnaud Cleret and Guillaume Belmas about “The integration of Windows Azure in my Information System” : http://microsoft.com/showcase/fr/fr/details/5c6d8b01-43cb-445c-8eaf-4c19a826a04d

Ok, and now :

Go to Facebook, and create a new Application. For this topic, I have created the “Labiam.net Claims Identity Provider”

Configure this application to be a Web Site that can be used to authenticate users. Specify that the relying party is your ACS Service Namespace URL :

When all is done, configure your ACS to add Facebook as an identity Provider and provide the APP ID, and APP Secret. Save, and that’s it

During the first logon to the application, choose your Azure Access Control, and the Facebook Identity Provider

You will be redirected on the Facebook Login Page

And here you are. My application just show a list of available claims in the token. For the moment, there is only a Name, but I can now search in my Active Directory to find user’s roles.

As you can see, it’s pretty easy to give an access to your On Premise application to Facebook Users. Why doing that ? Sometimes, delegating authentication to another provider is useful : No needs to host a username / Password database or Directory, no needs to manage password policy and other benefits that those new Cloud Scenarios provides.

In a next article, I will go deeper in security with AD FS, because opening your Infrastructure to Facebook is great, but in other words, you are opening your application to millions of strangers !

Published by Olivier DETILLEUX

Single Sign-On (SSO) is one of the new features brought by Office 365. This relies on the following Microsoft technologies:

• The Directory Synchronization tool (DirSync) based on Identity Lifecycle Manager (ILM) 2007 to sync your on-premises directory with Office 365.
• Active Directory Federation Services (AD FS) 2.0 to provide authentication between your environment and Office 365.

If the benefits are important, one main limitation still exists: you cannot synchronize multiple forests. To address this scenario, Microsoft recommends to consolidate your forests or to use your primary logon forest only. This requires a deep Active Directory cleanup prior to beginning your Office 365 deployment.

To overcome this issue, I worked with Julien Peigné – Unified Communications Consultant at vNext – to develop a unique approach to sync and federate your forests with Office 365. Here is how it works in 3 main steps:

• Consolidation: A new, dedicated forest is created to provide a clean and consolidated directory. This directory will be synced with Office 365 using DirSync.
• Synchronization: User accounts are synced between the existing forests and the new resource forest using Forefront Identity Manager (FIM) 2010.
• Federation: AD FS 2.0 is setup and configured in each forest to provide a transparent authentication between your environment and Office 365.

The following figure summarizes the solution:

This provides some interesting benefits:

• All types of directories: using FIM 2010, we can provide Office 365 accounts to all your users no matter their directory (Active Directory, LDAP, SQL…).
• Step-by-step migration: using FIM 2010, we can filter and gradually fund accounts from your existing forests to the new resource one.
• Deployment accelerator: there is no need to cleanup your existing directories. Malformed, inactive or disabled accounts can simply be ignored with FIM 2010.
• No impact: No change is required on your existing directories. We only sync the attributes that DirSync needs using FIM 2010.

Feel free to contact us for more information about this solution. Please also note that this has not been tested by the Office 365 team and is consequently not supported by Microsoft. However, we tested it and validated it in our test labs at vNext.

Published by Olivier DETILLEUX

Microsoft is pleased to announce the availability of Forefront Identity Manager 2012 R2 beta.  Some of the key areas we’re enhancing with this release include:

• Credential management with web based password reset
• Historical reporting using integration to the System Center Service Manager data warehouse
• Greater ease of use through enhanced initial load performance, improved diagnostics and and enhanced load and scale performance
• Additional support for Microsoft Outlook 2010, and Microsoft SharePoint Foundation 2010

To join the beta program and download the software, click here.

We are also pleased to announce that the Forefront Identity Manager Community Evaluation Program will commence on the 2nd of August with our first session. Community members are encouraged to attend and new members are certainly welcome.  Community Evaluation Programs are a great technical resource for deeper understanding of Microsoft products and to connect with other users.  With over 2000 people engaged in various CEP programs, you’re able to not only connect directly with key engineering resources from Microsoft, but also a broad community of like-minded users.  Further details on the Community Evaluation Program for the R2 release of Forefront Identity Manager 2010 can be found here.

Cloud computing is as big a transformation, and opportunity, as the technology industry has ever seen. Partners and customers can look to Microsoft for the most comprehensive cloud strategy and offerings, in order to improve their business agility, focus and economics. Today, at the Worldwide Partner Conference, Microsoft announced tools and solutions to help partners capitalize on the opportunities, as well as examples of partners and customers already finding success.

Read more

The 2011 Microsoft Worldwide Partner Conference (WPC) is kicking off today, and with over 12,000 attendees expected, it promises to be an exciting event. The Server and Cloud team at Microsoft has been working furiously over the last few months to make this a successful event for our partners. Over the next few days, our team will provide you regular updates about the announcements and events at WPC. As with all WPCs, there’s a lot going on at the event, so we’d like to highlight some locations and events that our core infrastructure partners will find useful.

• Breakout Sessions: You can find a complete list of the Server and Cloud breakout sessions here. Our sessions cover a variety of topics, ranging from the how the Private Cloud can help expand your business, to a preview of the benefits that the upcoming System Center 2012 release can bring to your infrastructure practice. Each session will have partner speakers featured as well, so be sure to add these sessions to your schedule builder!
• Private Cloud and Platform Servers Booth: Please visit our booth (#1221) in the Solutions Innovation Center. In addition to demos of our latest products, you will find some really exciting offerings there:
  • In partnership with Microsoft, Global Knowledge (2011 Learning Partner of the Year) is offering partners who visit our booth a discount of at least 20% off the list price on qualifying Microsoft Virtualization and Systems Center courses across the world.
  • In partnership with Dell and HP, we shall be running live Private Clouds in our booth. Come see a real private cloud in action!
  • Happy Hour with Server and Tools Execs: Join us at the Server and Tools Lounge (located at LACC West near the entrance close to Staples Center) on Monday, July 11^th from 4:30-6:30.
  • Programs and offers: At WPC, we will be announcing a number of new programs for our partners – be sure to ask our team at the Private Cloud booth about:
    • Private Cloud, Management and Virtualization DPS Program (PVDPS) - click here to find out more
    • Changes to our Management and Virtualization Solution Incentive Program (SIP)
    • The Cloud Assessment Tool
    • The MPN Private Cloud Sales Specialist program

Stay up to date with the latest Server and Cloud information! Follow us on twitter (@MSServerCloud) on our blog (http://blogs.technet.com/b/server-cloud) and “Like” us on Facebook (http://www.facebook.com/Server.Cloud) to get access to WPC 2011 previews. And don’t forget tag your own twitter messages with #hyperv and #WPC11

Please remember that this is your event, and we want to hear from you! Please let us know what you liked, and didn’t like, at WPC 2011.We’ll be back over the next few days with many more updates for you.

Varun Chhabra

Partner Marketing, Windows Server and Management Business Group

Everyone is talking about the Cloud. At next week’s Worldwide Partner Conference, you and 12,000 other partners will be encouraged to take the cloud conversation to the next level from traditional virtualization to cloud-based computing.  As your customer’s trusted advisor, you will best be able to propose solutions when you understand opportunities around private clouds and public clouds.

At WPC 2011, you’ll learn about our Hyper-V based Private Clouds and Windows Azure-based Public Clouds that can be managed by System Center 2012.  Most importantly, you’ll learn how Microsoft can help you ramp up on cloud technologies, generate new revenue streams, and ultimately take your Infrastructure practice to the next level.  

We look forward to seeing you at WPC. Please read on for more event-specific information.

Cheers,

Kevin McCuistion

Director of Partner Marketing, Server and Tools Business

Take Advantage of the Microsoft Virtualization and System Center offer from Global Knowledge

Global Knowledge, 2011 Microsoft Learning Competency Partner of the Year, is offering partners who visit our booth a discount of at least 20% off the list price on qualifying Microsoft Virtualization and Systems Center courses. Make sure to come to our Microsoft Private Cloud and Server Platforms booth #1221 in the Solutions Innovation Center to learn more!

Don’t miss our sessions led by our executives on Tuesday, July 12th.

 Call to Action

• Sign up for Server and Cloud sessions today!
• Visit the Private Cloud and Platform Servers booth (#1221) in the Solution Innovation Center to take advantage of our readiness offer, and to see a Private Cloud solution from HP and Dell in action!
• Join us in the Server and Tools Lounge (located at the entrance to LACC West) for Happy Hour with Top Server and Tools Executives on Monday, July 11th from 4:30 – 5:30pm
• Stay up to date with the latest Server and Cloud information! Follow us on twitter (@MSServerCloud) on our blog (http://blogs.technet.com/b/server-cloud) and “Like” us on Facebook (Facebook.com/Server.Cloud) to get access to WPC 2011 previews. And don’t forget tag your own twitter messages with #hyperv and #WPC11.

An Update Rollup for Forefront Endpoint Protection 2010 is now available here:  Get Update .

 In addition to hotfixes, this Update also includes some important changes to note:

1. Support for Windows Embedded 7 platforms:  With this update, the FEP client software is supported on certain Windows Embedded 7 platforms (including Windows Thin PC) and Windows Server 2008 Server Core.  For more information about the additional support, see Prerequisites for Deploying Forefront Endpoint Protection on a Client Computer.
2. Signature Update Automation Tool used with Configuration Manager Software Update:  This tool automates downloading FEP definition updates using Configuration Manager 2007 Software Updates.  This is a command line tool that uses Configuration Manager APIs to get new definitions from Microsoft Update via the Configuration Manager software update feature, distribute the content to distribution points, and deploy the updates to Endpoint Protection clients on a recurring schedule.  The automation of the tool is done through the Windows task scheduler. To download the tool:  Go here.
3. Two new preconfigured policy templates for the following server workloads:

               a.  Microsoft Forefront Threat Management Gateway

               b.  Microsoft Lync 2010

You can find more details in the “What’s New” document on the TechNet site.  Please check out this KB article for a full list of fixes included in this Update Rollup.

Thanks,

Adwait Joshi

Sr. Technical Product Manager

Forefront Endpoint Protection 2012 beta is here!  We are extremely excited to announce the availability of Forefront Endpoint Protection 2012 Beta.  Customers and Microsoft Partners can download the Beta software immediately here. You can also download the pre-requisite System Center Configuration Manager 2012 Beta 2 here

Forefront Endpoint Protection 2012 continues to deliver on the promise of Forefront Endpoint Protection 2010, simplifying and improving endpoint protection while also greatly reducing infrastructure costs. It builds on System Center Configuration Manager 2012, allowing customers to implement endpoint protection as part of a unified infrastructure for securing and managing physical, virtual, and mobile client environments. This shared infrastructure lowers ownership costs while providing improved visibility and control over endpoint management and security.  

• What’s new in FEP 2012:
  • Support for System Center Configuration Manager 2012
  • Improved real time alerts and reports
  • Role-based management
  • User-centric reports (post beta)
  • Easy migration from FEP 2010/ConfigMgr 2007
  • Support for FEP 2010 client agents

Forefront Endpoint Protection 2012 continues to provide proactive protection against known and unknown threats using multiple technologies in the antimalware engine like behavior monitoring, network inspection system and heuristics.  With cloud based updates through the spynet service, endpoints get updated protection against new threats in real time.  See the benefits of enabling Dynamic Signature Service in FEP here.

You can find more product details on our Website or TechCenter. And for more information about convergence of management and security, please visit our new Windows Optimized Desktop page.

You can now evaluate Forefront Endpoint Protection 2012 beta and System Center Configuration Manager 2012 beta with a community of early adopters.  Join the Community Evaluation Program for System Center Configuration Manager and evaluate the products with guidance from the product team and by sharing of experiences and best practices among a community of peers.

In addition, Microsoft Identify & Security partners can take advantage of the Microsoft Solution Incentive Program. This program rewards partners that identify and sell solutions that include Microsoft Forefront client security. Visit our Hyper-V Enabled Private Cloud page on Microsoft’s Partner Network to get more information on eligible opportunities.  

We hope you will evaluate the early version and give us your feedback!

Forefront Endpoint Protection team

The Microsoft TechEd Twitter Army is looking for recruits to twitter off the show floor during our premier TechEd event running May 16-19 in Atlanta. If you’re going to the show and want your opinions heard, be sure to check in at the Social Media area in the Microsoft Server & Cloud Platform Booth on Monday afternoon at 12:30 pm.  Recruits who do well on the Twitter front lines will compete for an Xbox 360 + Kinnect package and other prizes to be handed out at a private Twitter Army event happening Thursday at 2 pm. Don’t forget, and remember that Uncle TechEd Wants You!

With the recent announcement of the release of Forefront Endpoint Protection 2010, we published a bevy of resources through different channels to prepare the way and bring you up to speed. In the interests of providing the community—our readers—a quick-and-easy way to access these resources, we’ve compiled a digest of items for your handy reference.

Enjoy!

- The Server & Cloud Platform Team

Key Pages & Sites

• Forefront Endpoint Protection Home
• Forefront Endpoint Protection 2010 TechNet TechCenter
• Download Microsoft Forefront Endpoint Protection 2010
• Blog post: Convergence of Desktop Security and Management
• Desktop Security with Windows Optimized Desktop

Videos

• Understanding the Convergence of Security and Management
• Desktop & Datacenter Management and Security Strategy
• Forefront Endpoint Protection 2010 Demos and Interview

Webcasts & Presentations

• Business Insights Webcast: Security and Management Convergence on the Desktop (Level 100)
• Planning and Deploying Forefront Endpoint Protection 2010 with Microsoft System Center Configuration Manager
• Business Ready Security: Protecting Endpoints from Advanced Threats with Microsoft’s Secure Endpoint Solution
• Secure Endpoint: What’s in Microsoft Forefront Endpoint Protection 2010 – A Deep Dive into the Features and Protection Technologies

White Paper

• Convergence of Desktop Security and Management: Forefront Endpoint Protection and System Center Configuration Manager

We are extremely excited to announce that Forefront Endpoint Protection 2010 (FEP) has released to manufacturing!  Customers can access the RTM release on the Microsoft Volume Licensing Service Center (VLSC) starting Jan. 1, 2011 -- or try the evaluation version immediately. 

This is our first – and very significant – step in making the convergence of desktop security and management a reality.  Customers using System Center Configuration Manager 2007 can now quickly and efficiently deploy, configure, manage, update, and report on FEP protections, helping to lower infrastructure costs and improve overall security.  And since both products are included in the Enterprise CAL (ECAL), customers who purchase ECAL automatically get access to all the licenses they need to implement the solution.  To make deployment easier, FEP will even identify and replace the existing antimalware agents you may have previously installed. 

Customers have already begun seeing the advantages of bringing together powerful antimalware protection with their existing infrastructure for deploying, patching, and updating client systems.  A large university medical center that participated in our Technology Adoption Program (TAP) said the following about their experience using FEP in their 50,000 desktop environment: 

“We’re primarily a paperless organization.  We need 100% uptime so that medical records, prescriptions, and all other documentation is available to our healthcare professionals. The single console for Forefront Endpoint Protection 2010 [and System Center Configuration Manager 2007] gives me a view of our whole system and ensures that we can handle threats before they become an issue.”

There are a ton of new features to explore in this new release including award-winning antimalware protection (FEP uses same engine as Microsoft Security Essentials), vulnerability shielding, Windows firewall management, and, of course, integration with System Center Configuration Manager 2007.  You can find more product details on our Web site or TechCenter.    And for more information about convergence, please visit our new Windows Optimized Desktop page.

We hope that you will give FEP a test drive soon!

We are pleased to announce the release of Forefront Unified Access Gateway 2010 SP1, which includes key updates to the product, including: enhanced DirectAccess deployment and operation, improved monitoring and troubleshooting, as well as enhancements to publishing scenarios.  Trial bits can be downloaded here.  In addition, you can view additional details on TechNet to find out what’s new in Forefront UAG 2010 SP1.

Top Features

- The Forefront Team

We’re just back from TechEd in Berlin where Brad Anderson announced the release candidate for Forefront Endpoint Protection (FEP) 2010 during his keynote. During the session, Brad highlighted one of the key focus areas in this release - the convergence of security and management. FEP 2010 is deployed, configured, managed, updated, and reported on through System Center Configuration Manager 2007, allowing customers to streamline their client management and security operations. Using FEP to merge these disciplines, organizations can improve desktop protection and lower operational costs.

Since we’ve posted the release candidate, I’ve heard a lot of great feedback from trial customers (check out the Customer Evaluation Program), TechEd attendees, and TAP participants on the impact this convergence is already having on their businesses. Customers like Riga Stradins University tell us that the consolidated tools, processes, and infrastructure help them enable new efficiencies:

“The integration of management and security makes our IT organization more agile.  We’re more efficient in the way that we use our personnel. We’ve increased the number of people available to respond to security incidents by 20% with no increase in headcount” – Kristaps Cudars, Principle Information Systems Architect

This use of FEP to drive new efficiencies is a persistent theme among the early adopters. With security as part of the console that in many cases they are already using, customers say that their dedicated management personnel can expand their efforts – easily, to help watch over security.

Another interesting comment on efficiency came from Telekom Slovenije. Like many organizations globally, Telekom Solvenije has a single team responsible for desktop management and endpoint security, but the tools they used required completely separate efforts.  Already a Configuration Manager customer, and with a long-term contract for their existing anti-virus solution ending, they applied to join the FEP TAP program:  

"We had separate silos for managing and securing the infrastructure, even though the same team was responsible for both… The integration of FEP with System Center Configuration Manager lets us break down the silos with our organization and increase efficiency” – Dragoslav Radin, Head of the Division for IT Infrastructure Services

These efficiencies, driven by convergence of security and management, not only allow administrators to do their jobs better and more quickly, as we’ve discussed here, but they also lower hardware, maintenance, and training costs through the use of a single, multi-purpose infrastructure.  I hope you will download and try FEP in your environment.  

The Release Candidate of Forefront Endpoint Protection (FEP) 2010 shipped today and is now available for download here.  FEP was built on Configuration Manager 2007 (R2 and R3 supported), so anyone with Configuration Manager deployed now has the unique ability to deliver desktop security on your existing infrastructure. Find out more on the System Center team blog.

-        Forefront Team

Today in Berlin at TechEd Europe Microsoft vice president Brad Anderson announced that the Release Candidate of Forefront Endpoint Protection (FEP) 2010 is now available for download and we are on track to release to manufacturing by the end of 2010! Built on System Center Configuration Manager R2 and R3, FEP gives customers the ability to manage and secure their systems on the exact same infrastructure –  converging the disciplines of client security and management. 

With FEP, desktop antimalware is no longer a discrete set of tools and processes – it is an extension of your existing Configuration Manager deployment, making your endpoint protection:

1. Easier to use.  You view your configuration information (what has/hasn’t been updated, what patches have/haven’t been applied) in the same place as your security information – which makes it easier to identify issues and make smarter decisions to resolve them.
2. Less costly. No more maintaining two sets of hardware, implementing two sets of policies, or training staff on two separate technologies.
3. Extremely effective.  The new detection engine in FEP– with its behavioral detection technologies – has been proven in third-party testing (AV-comparatives, VirusBulletin) to rank among the industry’s best – particularly when detection unknown threats.

In addition to our infrastructure and detection updates, FEP includes some great new features like:

• Windows Firewall management.  Now easier to ensure Windows Firewall is active and working properly on all endpoints across the enterprise.
• Automated agent replacement.  For the most common antimalware solutions, automatically detects and removes existing security agents to streamline deployment.

We encourage you to take a look at the new RC – and if you happen to be at TechEd EMEA, make sure to stop by our booth!

Today, Microsoft announced the acquisition of AVICode, Inc., a market leader in application performance monitoring and diagnostics of .NET applications and services. AVIcode will become a wholly-owned subsidiary of Microsoft and the technology acquired will be rolled into the System Center family of products over time.

As more customers move to cloud-based services, they face additional management complexities. This acquisition represents further Microsoft investment in providing customers with unified management for physical, virtualized and cloud applications, whether they are running in a customer, service provider or Microsoft datacenter. By integrating AVIcode’s product capabilities with System Center, Microsoft will help customers ensure the availability and performance of business-critical applications and services, no matter where they are deployed.

Integration of AVIcode technologies with System Center Operations Manager will help customers close the “management gap” between existing, on-premises applications and those delivered via the cloud, providing a comprehensive view of application performance, end user experience and the ability to respond more quickly to business needs.

Today, customers can immediately benefit from AVIcode capabilities including:

• Simplified management with automatic discovery of application dependencies and requirements.
• Optimized business productivity with always-on, real-time monitoring, and rapid error resolution of business-critical applications.
• Lower cost of managing datacenter services through enterprise-wide standards  to manage custom and disparate applications .

Brad Anderson, corporate vice president of the Management and Security Division, provides more information about this acquisition on the System Center Nexus blog here, and in a recorded video Q&A here.

This month, Identity Lifecycle Manager 2007 beat out IBM and RSA for Information Security Magazine’s 5th annual Readers’ Choice Awards, taking first place for the Identity and Access Management category.  Readers gave it solid marks across the board, particularly for ease of use, integration with associated products and comprehensive and flexible reports.  You may already be aware that Microsoft Forefront Identity Manager 2010 – the successor to Identity Lifecycle Manager 2007 – is available now and dramatically simplifies enterprise identity management through end-user self service capabilities and IT administrator tools to automate tasks.  To see what the buzz is all about, evaluate FIM today. 

Today the team delivered the anticipated Forefront Endpoint Protection 2010 (FEP) public beta to customers.  The successor of Forefront Client Security is built on System Center Configuration Manager (SCCM) 2007 R2, allowing customers to use their existing client management infrastructure to deploy and manage endpoint protection.

The end result? Customers will save capital costs on roll-out and also reduce training costs because administrators won't have to learn yet another management user interface.

FEP supports Windows XP, Windows Server 2003 and all subsequent versions of the Windows client and server operating systems. Other new features include:

• New Antivirus Engine.  Highly accurate and efficient threat detection protects against the latest malware and rootkits with low false positive rate.  
• New behavioral threat detection.  Protection against "unknown" or "zero day" threats provided through behavior monitoring, emulation, and dynamic translation. 
• Windows Firewall management.  Ensures Windows Firewall is active and working properly on all endpoints, and allows administrators to more easily manage firewall protections across the enterprise.
• Dynamic Cloud Updates. On-demand signature updates from the cloud for suspicious files and previously unknown malware

If you are using System Center currently, you can download the SCCM 2007 R2 trial to understand the features and functionality that it provides to administrators for FEP trial purposes. 

We will announce pricing and licensing at a later date and the final product is on track to be available in the fourth quarter of 2010.

Download the Forefront Endpoint Protection 2010 beta here and let us know what you think.  Need more information? Check out the Microsoft Forefront homepage and watch the TechNet Edge video below.

Released last December, TMG is the next generation of Internet Security and Acceleration (ISA) Server 2006.  It is a secure web gateway that allows employees to safely and productively use the Internet without worrying about malware and other threats.  TMG provides multiple layers of continuously updated protections against the latest Web-based threats, including URL filtering, antimalware inspection, and intrusion prevention.  Enhancements in TMG Service Pack 1 (Available for download here):

Improved reporting features

• New user activity reports to monitor Web surfing information
• Improved look and feel for all TMG reports

Enhancements to URL filtering

• User override for access restriction on sites blocked by URL filtering, allowing more flexible and easier deployment of web access policy
• Override for URL categorization at the enterprise level
• Customized site access denial notification pages to fit an organization’s need

Enhanced branch office support

• Simplified deployment of BranchCache at the branch office (for Windows Server 2008 R2 users), using Forefront TMG as the Hosted Cache Server
• Forefront TMG and a read-only domain control can be located on the same server, reducing TCO at branch offices

Support for publishing SharePoint 2010

Below is a FOPE admin screencast by Micah Lanasa on TechNet Edge.  And here you can read about how the International Speedway Corp, which promotes the DAYTONA 500 and other motorsports events, saved $120,000 using FOPE to protect its vital messaging system.

From Micah:

Forefront Online Protection for Exchange is a hosted service that provides a layer of protection to actively help protect inbound and outbound e-mail from spam, viruses, phishing scams, and e-mail policy violations. In this video series I’ll walk you through the Administration Center, which is the service management site for Forefront Online Protection for Exchange.

In this first video I’ll highlight some of the features and tools in the Information tab and the Company subtab. To continue learning about FOPE Administration, watch the next video in the series Forefront Online Protection for Exchange: Administration Center 102.

There are some great opportunities coming up this month to learn about Forefront solutions.

TechNet Simulcast: Forefront Virtual Event
https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032454002&Culture=en-US

Register for the Forefront Virtual event on June 23^rd and 24^th to hear from the product team, ask questions and see great technical demos on FEP, FIM, TMG, UAG, FPSP, FPE, FOPE, and ADRMS + Exchange.

Deployment Webcasts

6/28/2010 11:00:00 AM -Deploying a Microsoft Identity and Access Management Solution (Level 300)

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032453697&Culture=en-US

6/30/2010 8:00AM Best Practices for Deploying a Microsoft Secure Collaboration Solution (Level 300)

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032453700&Culture=en-US

6/22/2010 12:00PM Using a Microsoft Information Protection Solution with RSA Data Loss Prevention

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032453692&Culture=en-US

6/22/2010 9:00:00 AM - TechNet Webcast: Deployment Best Practices for Information Protection

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032453503&Culture=en-US

6/16/2010 10:00:00 AM - Enabling Secure Messaging – FOPE Deployment Best Practices

https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032450259&EventCategory=4&culture=en-US&CountryCode=US

Microsoft has released the Information Card Issuance Community Technical Preview (CTP.)  This will enable IT administrators to easily issue information cards via Active Directory Federation Services 2.0, giving end users a more flexible and secure means of authentication to applications within the enterprise, across company boundaries and into the cloud.  Through this CTP, we hope to gain valuable feedback on our Information Card technologies. 

The CTP will support the following scenarios:

• Administrators can install an Information Card Issuance component on AD FS 2.0 RTM servers and configure Information Card Issuance policy and parameters.
• End users with IMI 1.0- or IMI 1.1 (DRAFT)-compliant identity selectors can obtain Information Cards backed by username/password, X.509 digital certificate, or Kerberos.
• Continued support for Windows CardSpace 1.0 in Windows 7, Windows Vista and Windows XP SP 3 running  .NET 3.5 SP1.

We have also adding two new mechanisms for interaction and feedback on this topic, a dedicated Information Card Issuance Forum and a monitored e-mail alias ici-ctp@microsoft.com.

Watch a video from the Office-SharePoint 2010 launch site about how Del Monte uses Forefront to secure its collaboration environments – including comments from Forrester senior analyst Andrew Chiquith. (Click here or on the image below for the video.)  A written case study about Del Monte is here.

From the case study:

Benefits
By deploying Microsoft Forefront Protection 2010 for SharePoint for protection and Active Directory Domain Services for identity–based access, Del Monte helps increase its collaboration, sharing, and access to information, while better protecting its assets. By strengthening its security capabilities, the company is equipped to aggressively pursue its collaboration strategy, taking full advantage of its investment in Microsoft SharePoint Server 2010.

Enhanced Business Control Without Compromising Flexibility
By using Forefront Protection 2010 for SharePoint, Del Monte benefits from tighter control of its business assets, including its intellectual property, through the use of multiple scanning engines and enhanced file filtering capabilities. Because Del Monte can configure the solution to meet its own business rules and changing security needs, the company retains maximum operational flexibility. “The ability to configure the settings at a granular level enables us to optimize our approach over time, so we can ensure rigorous security across all of our portal resources without negatively impacting productivity,” says Wynn.

Improved IT Management Through Real-Time Health Monitoring
The centralized Administrator Console and dashboard management tools in Forefront Protection 2010 for SharePoint provide the Del Monte IT team with access to consolidated information and analytics, helping to ease security management tasks.

Through these tools, Wynn and others can quickly evaluate the performance of scanning engines and track malware incidents and responses across the company’s entire server system. “Because I can get a comprehensive security status update in a matter of minutes, I can quickly prioritize the issues I need to address across projects and focus more time on achieving business goals,” says Wynn.

From the Microsoft identity blog:

In the category “Best Innovation”, the European Identity Award went to Microsoft for U-Prove. The U-Prove technology, which enables minimal disclosure of identity-related information is considered to be a pioneering effort in enhancing online privacy and security, by analyst firm Kuppinger-Cole & Partners.

In the category “Best Project”, the University of Washington was honored for its identity federation solution in research and education which was developed together with Microsoft and “Live@Edu”.

The University of Washington is delighted to have its work with Microsoft on federation services honored by Kuppinger Cole, said RL "Bob" Morgan, Identity Architect for UW Information Technology and Shibboleth Project core team member.  At UW, we are committed to standards-based federation to extend the value of UW identity to the services our users need. It is great to partner with Microsoft since they too are making a commitment to federation for Windows Live and Live@edu.  Live@edu's support of higher-education federations including InCommon is a key differentiator. Making it all work has many challenges, but it's essential so the higher-ed community can collaborate seamlessly and securely in cloud environments.

Nathan Dors, manager of Identity and Access Management for UW Information Technology, added that the partnership with Microsoft has been very positive. We agree with Microsoft on the importance of being both standards-oriented and pragmatic. Choice of federating technology is key and we appreciate Microsoft's striving to reach parity between AD FS 2.0 and Shibboleth solutions.

Also in the category “Best Project” Thomson Reuters was honored for its solution enabling users to easily and securely access various application services, which is based on Microsoft’s Windows Identity Foundation and Active Directory Federation Services (AD FS 2.0).

We are delighted to be acknowledged by international analyst firm Kuppinger Cole & Partners for our identity project with Treasura. Being able to provide a standards-based solution from Microsoft has enhanced application security and offered greater access control for our identity infrastructure project,” said Jason Shantz, Architect, Thomson Reuters.

And finally, in the category “Best Project” BMW was honored for its identity management solution covering more than 100,000 dealerships and other external users, replacing existing legacy systems. The project was a co-development with Omada and Microsoft.