Chris’s Blog

Here we are, Part 4 of the series. To recap what I have done thus far.. I’ve installed the Exchange Server Edge role followed by Forefront Protection 2010 for Exchange Server.

In this part I install TMG 2010 and perform some basic configuration. The minimum system requirements for TMG 2010 can be found on Microsoft TechNet.

To get started, insert your Forefront Threat Management Gateway 2010 installation media and then select “Run Preparation Tool”

This launches the “Forefront TMG Preparation Tool”, read through the notes on the welcome screen and click “Next”. Read and accept the License Agreement and click “Next”

Depending on your environment, select the appropriate Installation Type. I won’t be installing a TMG array so I selected “Forefront TMG services and Management”. Then click “Next”

Once all the prerequisite features have been installed, click “Finish” to launch the TMG 2010 installation wizard.

Click “Next” on the welcome screen. Read and accept the License Agreement and click “Next”

Next you will be presented with the “Customer Information” page with the Product Serial Number. Once you have entered the appropriate details, click “Next” and verify the installation path. Change this as appropriate and click “Next”

Next we need to define our internal network ranges. Be sure to include all of them there, mine are fairly simple and are all included in the range 172.0.0.0-172.0.0.255.

During the installation, some services will be restarted. Acknowledge this warning by clicking “Next”

Click “Install” to begin the installation.

Once the installation has completed successfully, click “Finish”

Congratulations, you now have TMG 2010 installed. Lets look at some basic configuration. The first time you launch the TMG Management Console, you’ll be presented with the “Getting Started Wizard” The first step is to “Configure network settings”

Click “Next” to continue and then select the appropriate network template, you’ll want to select “Edge Firewall” here. It should be noted that the “Single network adaptor” template has many limitations and will not work in our scenario. Click here to read more about single network adapter limitations. Click “Next” to continue

Ensure that your LAN or “Internal” network settings are configured correctly and click “Next” *note the absence of a “Default Gateway”

Then, ensure that your Internet or “External” network settings are configured correctly and click “Next”

Click “Finish” to complete the network setup wizard.

The next step is to “Configure system settings”

Click “Next” to continue and then confirm the “Host Identification” settings, note once again that this server is a member of a workgroup and is not part of the domain. Click “Next”

Click “Finish” to complete the system configuration wizard

The final step is to “Define deployment options”

Click “Next” to continue and on the “Microsoft Update Setup” screen, select the appropriate setting and click “Next”

Activate the relevant licenses and features and click “Next”

On the “NIS Signature Update Settings” screen, select the appropriate setting and click “Next” if in doubt, just leave the defaults

Would you like to join the “Customer Experience Improvement Program”? make your selection and click “Next” and then decide if you would like to participate in the “Microsoft Telemetry Reporting Service”, make your selection and click “Next”

Click “Finish” to complete the deployment wizard

You have now completed the “Getting Started Wizard”

To summarise, in this part of the series I installed TMG 2010 and then proceeded to perform some basic configuration. In the next part of the series, I’ll configure our email policy and create a new Edge Subscription

Welcome to Part 3! In the pervious part of the series I looked at the process of preparing a Windows Server 2008 R2 server for installation. I then installed the Exchange Server Edge Transport Transport role.

In Part 3 of the series I’ll install Forefront Protection 2010 for Exchange Server, the installation is fairly quick and painless so it should not take too long! I recommend checking out the minimum system requirements on Microsoft TechNet.

To get started, insert your Forefront Threat Management Gateway 2010 installation media and then select “Install Microsoft Forefront Protection 2010 for Exchange Server.

The first step is to read and accept the License Agreement and click “Next”. “During the installation, it may be necessary to stop and start the following services..” read and accept this message by clicking “Next”

Select the appropriate installation paths and click “Next”

Enter any proxy server information (if any) and click “Next”

Decide if you would like to enable Antispam now or later, these settings can be changed again once installed. Click “Next”

Decide if you would like to enable Microsoft Update and click “Next” *note: I have selected to not enable Microsoft Update at this time, depending on your environment, your selection may or may not be the same. It is always recommended to keep your servers up to date.

Would you like to join the “Customer Experience Improvement Program?” decide and then click “Next”. Once you have confirmed your settings and click “Next” to begin the installation

Once the installation has completed successfully, click “Finish”

To summarise, in this part of the series I installed Forefront Protection 2010 for Exchange Server on the same server that already has the Exchange Edge Transport role installed from Part 2.

In the next part of the series I’ll install Forefront Threat Management Gateway 2010 on the same server.

I recently decided to move my personal domain (cgoosen.com), to Microsoft Exchange Online and I thought it would be appropriate to share my experience. I had previously been using my web hosting providers mail service and when I starting having some unusual mail delivery problems I took that as a sign to do what I have been meaning to do for some time now.

Microsoft Exchange Online is Microsoft’s own hosted enterprise messaging solution based on Microsoft Exchange Server 2007. There are a number of reasons why I chose Exchange Online instead of just going with an Exchange Server based solution from a Microsoft partner, the main reason is that I anticipate this solution will continue to grow in popularity, especially once it is upgraded to Exchange 2010 and more organizations start making use of “Hybrid” installations.

I live in Australia, which meant that I had to purchase my Exchange Online services from Telstra Business instead of going directly to Microsoft. Once I had signed up, I was sent a link to the Microsoft Online admin panel.

At this point, the only Telstra involvement is that they are billing me around $3.50 US per month more that if I was able to go direct to Microsoft and I personally don’t see the value they are adding. Just my opinion!

Once I had signed in, I was presented with a list of “Tasks I need To Do”

The first step is to “Add your domain to Microsoft Online Services”. You also need to decided if you would like Exchange Online to be authoritative for your domain or not.

As you would expect, you need to validate that you actually own that domain, this is done by creating a DNS CNAME record on your primary DNS server. Mine only took a couple of minutes.

The next step is to enable inbound messaging and change your MX record.

The final step is to create some user accounts and assign services to them. The services available depend on the licenses you have purchased.

User accounts can be created manually of if you have a large amount of accounts to create, these can be imported from a .CSV file. There are sample and template .CSV files available for download if you are unsure of the format.

The entire process was so simple and I was up and running in less than 30 minutes. I would recommend keeping your existing mailboxes in place for at least 48 hours to allow the new MX record to full replicate.

In Part 1 of the series I talked about Forefront Threat Management Gateway (TMG) 2010 and how it allows administrators to consolidate their perimeter infrastructure into a single, secure point of entry for email and other messaging related services.

In this part of the series, it’s time to start getting our hands dirty so to speak and start the installation process. Microsoft recommends the following installation order:

1. Install Active Directory Lightweight Directory Services (AD LDS).
2. Install the Exchange Server Edge Transport Transport role.
3. Install Forefront Protection 2010 for Exchange Server.
4. Install TMG 2010

In Part 2, we will start by installing Exchange Server Edge. For more information, on the minimum system requirements, see Microsoft TechNet

To get started, I have already installed Windows Server 2008 R2.

It is important to ensure that you have a Primary DNS suffix set, to set this,

1. Right-click My Computer, and then click Properties. The System Properties dialog box will appear.
2. Click the Computer Name tab.
3. Click Change. The Computer Name Changes dialog box will appear.
4. Click More. The DNS Suffix and NetBIOS Computer Name dialog box will appear.
5. Enter the appropriate DNS suffix for the domain.
6. Select the Change primary DNS suffix when domain membership changes check box.
7. Click OK to save the changes, and then click OK to exit the Computer Name Changes dialog box.
8. Click OK to close the System Properties dialog box, and then restart the computer for the change to take effect.

The first step is to install Active Directory Lightweight Directory Services (AD LDS), I have elected to do this via the “Add Roles Wizard” in “Server Manager”. If you do not already have .NET Framework 3.5.1 installed, it will prompt you to install this feature as well.

Once this part of the installation has completed, it is time to install the Exchange Server Edge Transport Role. Once you launch Exchange Server 2010 setup, you can click Step 3 and choose your Exchange language option, I’m going to be installing only languages on the DVD. Then click “Step 4: Install Microsoft Exchange”

Read the introduction window of the setup wizard and click “Next”. Read and accept the License Agreement and click “Next” again. Make your selection on the “Error Reporting” window and Click “Next”. Select “Custom Exchange Server Installation” on the “Installation Type” window, verify the installation path and click “Next”

On the “Server Role Selection” window, select “Edge Transport Role”

Read about the “Customer Experience Improvement Program” and make your selection about joining. Then click “Next”  Verify that all Readiness Checks are successful and click “Install” to proceed with the installation.

Once the installation process completes successfully, click “Finish”

To summarise, in this part of the series I prepared a Windows Server 2008 R2 server by firstly ensuring that it had a Primary DNS suffix set, and installed Active Directory Lightweight Directory Services (AD LDS) and .NET Framework 3.5.1. I then proceeded to install the Exchange Server Edge Transport Role.

In Part 3 I’ll install Forefront Protection 2010 for Exchange Server.

November 2009 was an exciting time.. not only did I turn another year older, but, Microsoft launched both Exchange Server 2010 and Forefront Threat Management Gateway (TMG) 2010. Both of these products were eagerly awaited and while the new features and great benefits of Exchange Server 2010 have already been (and will continue to be!) discussed, I am excited to talk about how TMG 2010 now allows administrators to consolidate their perimeter infrastructure into a single, secure point of entry for email and other messaging related services.

What is Forefront Threat Management Gateway (TMG) 2010? TMG is essentially the next generation of ISA server (we’ve all come to know and love ISA 2006 since it’s release in late 2006) but with a few fantastic changes. The first of these is that, as with Exchange Server, it is 64bit only. Other new features include URL Filtering, Web antivirus/anti-malware protection and many more.

I mentioned earlier in the introduction that TMG 2010 allows administrators to consolidate their perimeter infrastructure into a single, secure point of entry, this is done by combining with a couple of other great technologies. It is now possible to install Exchange Edge, Forefront Protection for Exchange Server (FPES) and TMG 2010 on the same server. Management of the Exchange Server Edge, FPES  and TMG 2010 services are all integrated into the TMG Management console greatly reducing management complexity and overhead.

In this 6 part series, I’ll go through the process of installing Exchange Server Edge, FPES and TMG 2010 on the same server. The series will consist of the following posts:

• Part 1 – The Introduction
• Part 2 – Installing Exchange Server Edge
• Part 3 – Installing Forefront Protection 2010 for Exchange Server
• Part 4 – Installing Forefront Threat Management Gateway 2010
• Part 5 – Putting it all together
• Part 6 – Publishing Outlook Web App

This series is intended to be a detailed “how to” so I’ll make use of a lot of screen shots of each of the steps of the process. There are many areas (especially when configuring Exchange Server) where making use of the Powershell or Exchange Management Shell (EMS) may be quicker, but I have opted to use the MMC throughout.

Here is a brief overview of the environment I’ll use throughout this series, the environment is my lab environment. Here is a high level diagram of the environment, I’ll discuss each server in a little more detail below:

tltmg01.testlab.local: Windows 2008 R2 x64 with 2 NICS (Internal & External) – This is the Forefront TMG 2010 server with Exchange Server 2010 Edge and Forefront Protection 2010 for Exchange Server installed.

tlex01.testlab.local: Windows 2008 R2 x64 – This is the Exchange 2010 Hub Transport and Client Access server.

tlex02.testlab.local: Windows 2008 R2 x64 – This is the Exchange 2010 Mailbox server

tldc01.testlab.local: Windows 2008 x64 – This is a Domain Controller and Global Catalog. This server also acts as a DNS server and is the Enterprise Root Certificate Authority.

Some things to look out for.. there are a few important things to look out for when deploying this solution for the first time, there are:

• Time Sync – make sure the time on your Exchange servers and TMG/Exchange Edge is perfectly in sync
• DNS – Mis-configuring DNS is a very common mistake in ISA/TMG deployments. There are many schools of thought here, but regardless of which one you follow, it is important to note that DNS entries are not NIC specific so make sure you assign a DNS server to either the internal OR external NIC. Your TMG/Exchange Edge server must be able to resolve names internally either through DNS or host entries
• Workgroup – Since we will be installing Exchange Server Edge, our TMG server will NOT be a domain member. It is important to put sufficient thought into how you will configure authentication for both reverse and forward proxy since AD authentication will not work
• Primary DNS suffix – The TMG/Exchange Edge will need it’s Primary DNS suffix manually set as it will not be a part of the domain