Securing Exchange 2010 with Forefront Threat Management Gateway (TMG) 2010, Part 5 – Putting it all together
We finally have our consolidated Exchange Server Edge and TMG 2010 server installed, but what now? How do we take advantage of all the great new features? In this part of the series, I’ll configure our E-Mail Policy, create a new Edge Subscription and then configure Antivirus and File Filters
Firstly, we’ll configure our E-Mail Policy. If you open the TMG Management Console, select “E-Mail Policy” and then select “Configure E-Mail Policy” from the tasks pane.
On the “Welcome to the E-Mail Policy Wizard” screen, click “Next” to continue
On the “Internal Mail Server Configuration” screen, add all the Exchange hub servers that you want to forward incoming mail to. You also need to add your accepted domains. Then click “Next”
For the “Internal E-Mail Listener” choose the Internal network. You can also specify which IP to listen on if multiple IPs are available. Click “Next”
For the “External E-Mail Listener” choose to listen on the External network and specify the FQDN that will be presented in HELO and EHLO commands.
Enable spam filtering, virus and content filtering. You also have the option to enable EdgeSync Traffic, you should enable this here as it will create the relevant System Policy to allow port 50636 for communication with the Exchange hub transport server.
Click “Finish” to complete the e-mail policy wizard
TMG will prompt you to create a System Policy, click “Yes”
Once done, click “Apply” to apply the new E-Mail Policy
Next, we setup a new edge subscription, From the TMG Management console, navigate to “E-Mail Policy” and in the “Tasks” plane, click “Generate Edge Subscription Files”
Make a note of where you save this file. Once complete, copy the edge subscription file to your Hub Transport server.
Log on to your Hub Transport server and open the Exchange Management Console, then expand “Organization Configuration” and click on “Hub Transport”. Click “New Edge Subscription under the “Actions” menu.
Select the appropriate AD site and locate the edge subscription file copied from your TMG server. Click “New”
Once the wizard completes successfully, click “Finish”
Expand “Organization Configuration”, click on “Hub Transport” and select the “Edge Subscriptions” tab. You should now see your edge subscription listed there.
On your Hub Transport server, ensure that the “Microsoft Exchange EdgeSync” service is set to automatically start.
On the Hub Transport server, open the Exchange Management Shell and start edge synchronization by issuing the following cmdlet
Start-EdgeSynchronization
After a few minutes, you should be able to verify that your edge synchronization is working by opening the “Exchange Management Shell” and issuing the following cmdlet:
Get-SendConnector
Next, We need to verify the authentication settings on the Receive Connectors.
On the Hub Transport server, open the Exchange Management Console and expand to “Server Configuration”, click on “Hub Transport”, right click on the “Default Receive Connector” and select Properties. On the Authentication tab, verify that TLS and Exchange Server authentication are selected.
On the TMG server, open the TMG Management console and navigate to “E-Mail Policy”, right click on the “Internal_Mail_Servers” route and select Properties. On the Listener tab, click “Authentication Settings” and verify that only TLS and Exchange Server Authentication are selected.
Lastly, we can configure Antivirus scanning and file filtering settings. In this example I will enable a 3 antivirus engines and configure file filtering to block .EXE files.
On the TMG server, open the TMG Management console, click “E-Mail Policy, then select the “Virus and Content Filtering” tab,
Click “Select AV Engines” on the Tasks Pane. Select one or more engines from the list. The click “OK”
Next, click the “Enabled” link below “File Filtering”. On the File Filters” tab, click “Add” and then on the General tab give it a meaningful name. You can apply the filter to inbound and/or outbound messages.
On the File Types tab select Microsoft Windows Executable. Click “Apply”
Confirm that the filter has been added and click “OK”
Once done, click “Apply” to apply the settings
To summarise, in this part of the series I configured my E-Mail Policy/ I then created and verified a new Edge Subscription. I finished off by configuring Antivirus and creating a File Filter to block .EXE files.
In the next and final part of this series, I’ll look at how to securely publish Outlook Web App.
Hi!. When I try to hit “Generate Edge Subscription Files” and select a folder to save the files its popup a message showing the following text:
“Microsoft Forefront TMG Managed Control Service XXXXXX is not responding”.
Any ideas?
have you checked to see if the service is running?
yeap. it tried with exchange powershell. the problem is that the certificate of the machine running TMG (SERVER-VM-TMG) it was not correctly the friendly name because it was missing the domain part.
The Friendly name was SERVER-VM-TMG and then i changed to SERVER-VM-TMG.intranet.teitor and its works fine!
well done for fixing it!
Hi, I have ADLDS role installed on EX1 but I get the following when run Start-EdgeSynchronization
RunspaceId : 488afe7a-5a9f-4ad1-bb1a-038a2788de60
Result : CouldNotConnect
Type : Recipients
Name : TMG1
FailureDetails : The LDAP server is unavailable.
StartUTC : 8/14/2010 12:14:25 AM
EndUTC : 8/14/2010 12:14:46 AM
Added : 0
Deleted : 0
Updated : 0
Scanned : 0
TargetScanned : 0
run Start-EdgeSynchronization OK AFTER Step 6 is done.
Hi,
your documents are very nice for TMG with Exchange. I have few questions with you that, i had installed exchange edge server 2007 and TMG for exchange in single server with two NIC in workgroup environment. i had configured all the subscription and everything working fine. but i am unable to update the Engine update in TMG for Exchange 2010.
please help me what should i do.
Thanks
Nandha
Hi Nandha, Are you able to provide some more information? any error messages?
Hi
Thank you for your reply. please see the below error from My Event viewer
Microsoft Forefront Protection encountered an error while performing a scan engine update.
Scan Engine: WormList
Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate
Error Detail: An error occurred during the download procedure.
Microsoft Forefront Protection encountered an error while performing a scan engine update.
Scan Engine: WormList
Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/WormList
Proxy Settings: Disabled
Error Code: 0×80004005
WinHttpClient send request returned an invalid return code 403.
In my environment does not have proxy server. the edge server wan interface directly connected to firewall also the wan interface IP address has been exclusion list in firewall and from the edge server we can able to access the internet. when i open the above mentioned URL from my internet explorer. its open with error.
Please advice.
Thanks
Nandha
when you access those urls from your browser, do you get an access denied error?
perhaps it is timing out, see http://support.microsoft.com/kb/939411 for some info on how to change the timeout period
Hi Chris,
Firstly, congratulations on an excellent series of articles. I was also one of the early adopters of the TMG / Exchange / Forefront combination as a consultant & it has brought me many headaches! I have one question though – why did you sent the authentication method on the TMG Internal_Mail_Servers route to be TLS / Exchange only?
Thanks,
Cindy
Hi Cindy.
Thanks for the compliments.
In my setup, the Hub Transport server was set to TLS & Exchange Server auth so the TMG server was set to match (since they relay messages to each other). I hope this makes sense, let me know if it does not.
Cheers,
Chris
Dear Chris
After copying Edge Subscription file from my TMG, When I make a rule in Hub transport server, Error occur indicating Time Sync.. kindly reply me how to resolve
as stated in part 1,you need to make sure the time on your Exchange servers and TMG/Exchange Edge is perfectly in sync.
Dear Chris.
U mean to check the time of both server at same instance, or is there any service or any other way to sync the time of both machine
[...] http://www.cgoosen.com/2010/06/securing-exchange-2010-with-forefront-threat-management-gateway-tmg-2... [...]