Securing Exchange 2010 with Forefront Threat Management Gateway (TMG) 2010, Part 5 – Putting it all together

We finally have our consolidated Exchange Server Edge and TMG 2010 server installed, but what now? How do we take advantage of all the great new features? In this part of the series, I’ll configure our E-Mail Policy, create a new Edge Subscription and then configure Antivirus and File Filters

Firstly, we’ll configure our E-Mail Policy. If you open the TMG Management Console, select “E-Mail Policy” and then select “Configure E-Mail Policy” from the tasks pane.

image

On the “Welcome to the E-Mail Policy Wizard” screen, click “Next” to continue

image

On the “Internal Mail Server Configuration” screen, add all the Exchange hub servers that you want to forward incoming mail to. You also need to add your accepted domains. Then click “Next”

image

For the “Internal E-Mail Listener” choose the Internal network. You can also specify which IP to listen on if multiple IPs are available. Click “Next”

image

For the “External E-Mail Listener” choose to listen on the External network and specify the FQDN that will be presented in HELO and EHLO commands.

image

Enable spam filtering, virus and content filtering. You also have the option to enable EdgeSync Traffic, you should enable this here as it will create the relevant System Policy to allow port 50636 for communication with the Exchange hub transport server.

image

Click “Finish” to complete the e-mail policy wizard

image

TMG will prompt you to create a System Policy, click “Yes”

image

Once done, click “Apply” to apply the new E-Mail Policy

image

Next, we setup a new edge subscription, From the TMG Management console, navigate to “E-Mail Policy” and in the “Tasks” plane, click “Generate Edge Subscription Files”

image

Make a note of where you save this file. Once complete, copy the edge subscription file to your Hub Transport server.

image

Log on to your Hub Transport server and open the Exchange Management Console, then expand “Organization Configuration” and click on “Hub Transport”. Click “New Edge Subscription under the “Actions” menu.

image

Select the appropriate AD site and locate the edge subscription file copied from your TMG server. Click “New”

image

Once the wizard completes successfully, click “Finish”

image

Expand “Organization Configuration”, click on “Hub Transport” and select the “Edge Subscriptions” tab. You should now see your edge subscription listed there.

image

On your Hub Transport server, ensure that the “Microsoft Exchange EdgeSync” service is set to automatically start.

image

On the Hub Transport server, open the Exchange Management Shell and start edge synchronization by issuing the following cmdlet

Start-EdgeSynchronization

image

After a few minutes, you should be able to verify that your edge synchronization is working by opening the “Exchange Management Shell” and issuing the following cmdlet:

Get-SendConnector

image

Next, We need to verify the authentication settings on the Receive Connectors.

On the Hub Transport server, open the Exchange Management Console and expand to “Server Configuration”, click on “Hub Transport”, right click on the “Default Receive Connector” and select Properties. On the Authentication tab, verify that TLS and Exchange Server authentication are selected.

image

On the TMG server, open the TMG Management console and navigate to “E-Mail Policy”, right click on the “Internal_Mail_Servers” route and select Properties. On the Listener tab, click “Authentication Settings” and verify that only TLS and Exchange Server Authentication are selected.

image

Lastly, we can configure Antivirus scanning and file filtering settings. In this example I will enable a 3 antivirus engines and configure file filtering to block .EXE files.

On the TMG server, open the TMG Management console, click “E-Mail Policy, then select the “Virus and Content Filtering” tab,

image

Click “Select AV Engines” on the Tasks Pane. Select one or more engines from the list. The click “OK”

image

Next, click the “Enabled” link below “File Filtering”. On the File Filters” tab, click “Add” and then on the General tab give it a meaningful name. You can apply the filter to inbound and/or outbound messages.

image

On the File Types tab select Microsoft Windows Executable. Click “Apply”

image

Confirm that the filter has been added and click “OK”

image

Once done, click “Apply” to apply the settings

image

To summarise, in this part of the series I configured my E-Mail Policy/ I then created and verified a new Edge Subscription. I finished off by configuring Antivirus and creating a File Filter to block .EXE files.

In the next and final part of this series, I’ll look at how to securely publish Outlook Web App.

Share this?Print this pageEmail to someoneTweet about this on TwitterShare on LinkedInShare on FacebookDigg thisGoogle+Pin on PinterestShare on StumbleUponShare on Redditshare on TumblrBuffer this pageFlattr the author

Post navigation


Comments

  • Javier Ibarra

    Hi!. When I try to hit “Generate Edge Subscription Files” and select a folder to save the files its popup a message showing the following text:
    “Microsoft Forefront TMG Managed Control Service XXXXXX is not responding”.
    Any ideas?

  • Chris

    have you checked to see if the service is running?

  • Javier Ibarra

    yeap. it tried with exchange powershell. the problem is that the certificate of the machine running TMG (SERVER-VM-TMG) it was not correctly the friendly name because it was missing the domain part.
    The Friendly name was SERVER-VM-TMG and then i changed to SERVER-VM-TMG.intranet.teitor and its works fine!

  • Chris

    well done for fixing it!

  • Ian

    Hi, I have ADLDS role installed on EX1 but I get the following when run Start-EdgeSynchronization

    RunspaceId : 488afe7a-5a9f-4ad1-bb1a-038a2788de60
    Result : CouldNotConnect
    Type : Recipients
    Name : TMG1
    FailureDetails : The LDAP server is unavailable.
    StartUTC : 8/14/2010 12:14:25 AM
    EndUTC : 8/14/2010 12:14:46 AM
    Added : 0
    Deleted : 0
    Updated : 0
    Scanned : 0
    TargetScanned : 0

  • Ian

    run Start-EdgeSynchronization OK AFTER Step 6 is done.

  • nandha

    Hi,
    your documents are very nice for TMG with Exchange. I have few questions with you that, i had installed exchange edge server 2007 and TMG for exchange in single server with two NIC in workgroup environment. i had configured all the subscription and everything working fine. but i am unable to update the Engine update in TMG for Exchange 2010.

    please help me what should i do.

    Thanks
    Nandha

  • Chris

    Hi Nandha, Are you able to provide some more information? any error messages?

  • nandha

    Hi

    Thank you for your reply. please see the below error from My Event viewer

    Microsoft Forefront Protection encountered an error while performing a scan engine update.
    Scan Engine: WormList
    Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate
    Error Detail: An error occurred during the download procedure.

    Microsoft Forefront Protection encountered an error while performing a scan engine update.
    Scan Engine: WormList
    Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/WormList
    Proxy Settings: Disabled
    Error Code: 0x80004005
    WinHttpClient send request returned an invalid return code 403.

    In my environment does not have proxy server. the edge server wan interface directly connected to firewall also the wan interface IP address has been exclusion list in firewall and from the edge server we can able to access the internet. when i open the above mentioned URL from my internet explorer. its open with error.

    Please advice.

    Thanks
    Nandha

  • Chris

    when you access those urls from your browser, do you get an access denied error?

    perhaps it is timing out, see http://support.microsoft.com/kb/939411 for some info on how to change the timeout period

  • CLK

    Hi Chris,
    Firstly, congratulations on an excellent series of articles. I was also one of the early adopters of the TMG / Exchange / Forefront combination as a consultant & it has brought me many headaches! I have one question though – why did you sent the authentication method on the TMG Internal_Mail_Servers route to be TLS / Exchange only?
    Thanks,
    Cindy

  • Chris

    Hi Cindy.

    Thanks for the compliments.

    In my setup, the Hub Transport server was set to TLS & Exchange Server auth so the TMG server was set to match (since they relay messages to each other). I hope this makes sense, let me know if it does not.

    Cheers,

    Chris

  • kashif

    Dear Chris

    After copying Edge Subscription file from my TMG, When I make a rule in Hub transport server, Error occur indicating Time Sync.. kindly reply me how to resolve

  • Chris

    as stated in part 1,you need to make sure the time on your Exchange servers and TMG/Exchange Edge is perfectly in sync.

  • kashif

    Dear Chris.

    U mean to check the time of both server at same instance, or is there any service or any other way to sync the time of both machine

  • Schaefer

    Do you have a “how to” on installing TMG and Exchange 2010 Edge on separate servers.

    I am looking to keep the servers separate becauze TMG will be a member of the domain and Edge will not be a member.

  • Chris

    Hello Schaefer,

    Unfortunately I have not written any how-to material for your required scenario. This scenario is actually really common perhaps these technet articles would be a good place to start:

      http://technet.microsoft.com/en-us/library/bb124701(v=exchg.141).aspx
      http://technet.microsoft.com/en-us/library/cc441445.aspx

    Cheers,

    Chris

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>