Consolidated E-Mail Hygiene and Encryption Service (E-Hub)

The Consolidated E-Mail Hygiene and Encryption Service (E-Hub) secures and protects the State’s inbound, outbound, and inter-departmental email by implementing a highly available email hygiene solution with a rich tool set and capabilities including email encryption, content filtering, uniform anti-spam and anti-virus scanning.

  • This offering is classified as a Current Service.


  • Improves security and protection of the state’s critical email services
  • Reduces network load as email filtering is performed at the enterprise network border


  • Implements consistent email filtering services and technologies
  • Serves as a centralized hub for inter-departmental message exchange


  • Establishes a central point of administration
  • Eliminates the State’s need for multiple, independent email hygiene gateways

State agencies connect to the vendor service using the TLS protocol. This ensures communications between each state agency and the vendor is over a secure network connection.

Data Centers

Microsoft’s FOSE is powered by a global network of data centers based on a fault-tolerant and redundant architecture and is load-balanced both site-to-site and internally within each data center. Figure 1 shows the physical location of the data centers that make up the global network. If a data center is suddenly unavailable, traffic is automatically routed to another data center without any interruption to service. Thousands of email servers across the network of data centers accept email on the customers’ behalf, providing a layer of separation between their servers and the Internet. Furthermore, Microsoft algorithms analyze and route message traffic between data centers to ensure the most timely and efficient delivery. With this highly available network, Microsoft guarantees 99.999 percent uptime through service level agreements. This approach, built on a distributed server and software model, has proven successful in helping protect customers’ fragile corporate networks and email servers from common threats, such as dangerous worms, denial-of-service assaults, directory harvest and dictionary attacks, and other forms of email abuse.

Data Centers


The vendor is responsible for all hardware needed to support the E-Hub environment.


The E-Hub service is scalable and can easily meet the needs of the Customers.


The vendor is responsible for all software needed to support the E-Hub environment.

Real time reporting and the powerful Message Trace tool give administrators insight into their email environment by retrieving the status of any email processed by Forefront Online Security for Exchange in real-time.

CDT has contracted with a vendor to provide consolidated e-mail hygiene and e-mail encryption service. A competitive bid was conducted and was awarded to Microsoft for their ForeFront Online Security for Exchange (FOSE) Hosted Filtering and Encryption solution.

Multi-engine Spam and Virus Scanning

Powered by multiple filtering engines and an around-the-clock team of anti-spam experts, Forefront Online Security for Exchange virtually eliminates spam from inboxes, helping to provide bandwidth for legitimate corporate use. FOSE virus scanning helps provide zero-day threat protection against known and unknown threats by using multiple antivirus engines that are integrated at the application programming interface level to provide timely virus definition updates and utilize sophisticated heuristic engines.

Multi-engine Spam and Virus Scanning

Active Content, Connection and Policy-based Filtering

This highly customizable filter helps administrators comply with corporate policies on email usage and with government regulations.

Forced Transport Layer Security (TLS) Option

By creating a Forced TLS rule in the policy filter, administrators can help ensure that sensitive email is encrypted in transport.


Microsoft Exchange Hosted Encryption provides policy-based encryption from sender to recipient with no end-user training or software installation.


For more information, see Security Services.

The Administration Center is a Web portal that service administrators will use to manage settings and user accounts. All administrative access will be over Secure Sockets Layer (SSL).

CDT holds the contracts for this service and maintain the top level statewide security settings for email hygiene.

CDT bills for consulting services when those services exceed the workload in the rates approved. For more information please see Consulting Services.

How long is the on boarding process?

Customer on-boarding generally takes between two weeks and 60 days. Customers can be up and running in as little as two weeks however, many customers setup test and or pilot domains to gain familiarity with the service and determine any organization specific policies to be implanted. Customers have 90 days of initial direct support through an assigned Microsoft Implementation Project Manager (IPM) and it is expected that customers will provided the necessary staffing resources to complete on boarding within the 90 day window.

What Microsoft products already provide E-Hub licensing?

The following products from Microsoft include:

  • Forefront Online Security for Exchange (E-Hub) licensing:
  • Microsoft Enterprise Client Access License Suite
  • Microsoft Exchange Enterprise Client Access License
  • Microsoft Forefront Security Suite
  • Microsoft Forefront Online Security for Exchange

How do I determine the number of Encryption licenses my organization will need?

Encryption licenses are billed based upon customer estimation of the number of unique users per month that will trigger either a manual or automatic encryption policy. Most organizations will implement a policy that will cause a message to be sent encrypted by simply putting a key word or phrase in the subject line. This is commonly referred to as a manual encryption policy as the user manually causes the encryption policy to activate. Automatic encryption policies are triggered by key words or patterns such as social security number, credit card number or specific words, in an email subject or body and are not triggered intentionally by the user. Depending upon your policy configuration you may be a light, moderate or heavy consumer of encryption services. You can use the following guidelines to estimate your initial licensing purchase and utilize E-Hub reporting to monitor actual usage over time. Light Use – 3% of total user seat count Moderate Use – 6% of total user seat count Heavy Use – 10% of total user seat count

Who do I contact for more information or to schedule a one on one meeting to discuss E-Hub services?

Please contact your Account Lead if you have any questions not covered here or if you would like to schedule a one on one meeting to discuss E-Hub service.

Who do I contact for support with E-Hub?

End users should contact their organizations email support team. Customer E-Hub Administrators have two support options:

  • If you have a Microsoft Premier contract you can directly open up E-Hub (Microsoft Forefront Online Security for Exchange) incidents through your Premier portal. These incidents do not decrement against your available Microsoft Support Incidents and are included in your E-Hub service.
  • Customer E-Hub Administrators can also contact the CDT Service Desk for support.

What are the statewide policy settings for E-Hub?

  1. The following polices are compliance based and all E-Hub customers are expected to comply.
    1. Replace existing and implement any new email auditing rules using the E-Hub service.
    2. Replace existing and implement any new email encryption capabilities using the E-Hub encryption service.
    3. Communication from SMTP Gateway to Microsoft must be through a secure connection (i.e. TLS).
    4. Restrict mail routing to Microsoft data centers in the continental United States only..
    5. Synchronize email directory and set Directory-Based Edge Blocking mode to Reject.
  2. The following Policies are configured within the service itself and customer can apply more restrictive but not less restrictive policy within their own domains.
    1. Spam Filtering – Always Enabled (95% Block Rate)
    2. Turn on the following Additional Spam Filtering Options (99% Block Rate)
      1. Image links to remote sites
      2. Numeric IP in URL
      3. Empty messages
    3. Set message deferral notification to notify after 500 deferrals
    4. Set message size to 100 MB maximum for inbound and outbound email
    5. Block the following file extensions:
      1. .exe
      2. .dll
      3. .bat
      4. .cmd
      5. .bin
      6. .com
      7. .scr

Are we mandated to use CDT's E-Hub service?

The Office of the Chief Information Officer has published the Email Hygiene and Encryption Standard (PDF)which states the E-Hub is to be used by all email systems within the Executive Branch of state Government.

How do I report if an email should have been flagged as spam (False Negative)?

Unfiltered Spam can be reported by forwarding the message including full Internet headers to:*.

* Please follow the submission process as outlined in Spam Submission and Evaluation.

How do I report an email that is incorrectly identified as spam (False Positive)?

False Positives can be reported through the Spam Quarantine Interface or by forwarding the message including full Internet headers to:*. This method is only recommended for departments that do not utilize the Spam Quarantine feature of E-Hub and instead use a tag and deliver configuration.

The preferred method is to use the “Not Junk” option in the Spam Quarantine interface as this automatically submits the message as a false positive to Microsoft for review. If the ‘Not Junk’ option is unavailable then the message was placed in quarantine by departmental policy and cannot be submitted as a false positive.

* Please follow the submission process as outlined in Spam Submission and Evaluation.

Subscriptions to this service are available and can be referenced in the CDT Rate Schedule.

Service CodeService DescriptionUnit of MeasurementRateGroupComment(s)
E231E-Mail Hygiene ServiceMailbox/Month$0.56CA emailService to be sunsetted Dec, 2017
E232E-Mail Hygiene Service (Customer Has ECAL License)Mailbox/Month$0.13CA emailService to be sunsetted Dec, 2017

Collect necessary information in preparation for submitting a service request for E-Hub service.

  1. Number of Users (resource mailboxes do not add additional seat count)
  2. Existing mail system (specific version of Microsoft Exchange or Other)
  3. List of existing email domains and IP addresses of existing email send and receive gateways
  4. Licensing Model
    • Customers can use one of two licensing models to provide the necessary per user licenses
      • Bring Your Own License (BYOL) – Customers who have qualifying products under existing Microsoft agreements may already be entitled to per user licensing
      • Licensing provided through CDT Service Agreement
  5. Main and Technical contact information
  6. Complete the E-Hub Service Enrollment Form and attach to your Remedy Service Request.