Securing Exchange 2010 with Forefront Threat Management Gateway (TMG) 2010, Part 1 – The Introduction

November 2009 was an exciting time.. not only did I turn another year older, but, Microsoft launched both Exchange Server 2010 and Forefront Threat Management Gateway (TMG) 2010. Both of these products were eagerly awaited and while the new features and great benefits of Exchange Server 2010 have already been (and will continue to be!) discussed, I am excited to talk about how TMG 2010 now allows administrators to consolidate their perimeter infrastructure into a single, secure point of entry for email and other messaging related services.

What is Forefront Threat Management Gateway (TMG) 2010? TMG is essentially the next generation of ISA server (we’ve all come to know and love ISA 2006 since it’s release in late 2006) but with a few fantastic changes. The first of these is that, as with Exchange Server, it is 64bit only. Other new features include URL Filtering, Web antivirus/anti-malware protection and many more.

I mentioned earlier in the introduction that TMG 2010 allows administrators to consolidate their perimeter infrastructure into a single, secure point of entry, this is done by combining with a couple of other great technologies. It is now possible to install Exchange Edge, Forefront Protection for Exchange Server (FPES) and TMG 2010 on the same server. Management of the Exchange Server Edge, FPES  and TMG 2010 services are all integrated into the TMG Management console greatly reducing management complexity and overhead.

In this 6 part series, I’ll go through the process of installing Exchange Server Edge, FPES and TMG 2010 on the same server. The series will consist of the following posts:

  • Part 1 – The Introduction
  • Part 2 – Installing Exchange Server Edge
  • Part 3 – Installing Forefront Protection 2010 for Exchange Server
  • Part 4 – Installing Forefront Threat Management Gateway 2010
  • Part 5 – Putting it all together
  • Part 6 – Publishing Outlook Web App

This series is intended to be a detailed “how to” so I’ll make use of a lot of screen shots of each of the steps of the process. There are many areas (especially when configuring Exchange Server) where making use of the Powershell or Exchange Management Shell (EMS) may be quicker, but I have opted to use the MMC throughout.

Here is a brief overview of the environment I’ll use throughout this series, the environment is my lab environment. Here is a high level diagram of the environment, I’ll discuss each server in a little more detail below:


tltmg01.testlab.local: Windows 2008 R2 x64 with 2 NICS (Internal & External) – This is the Forefront TMG 2010 server with Exchange Server 2010 Edge and Forefront Protection 2010 for Exchange Server installed.

tlex01.testlab.local: Windows 2008 R2 x64 – This is the Exchange 2010 Hub Transport and Client Access server.

tlex02.testlab.local: Windows 2008 R2 x64 – This is the Exchange 2010 Mailbox server

tldc01.testlab.local: Windows 2008 x64 – This is a Domain Controller and Global Catalog. This server also acts as a DNS server and is the Enterprise Root Certificate Authority.

Some things to look out for.. there are a few important things to look out for when deploying this solution for the first time, there are:

  • Time Sync – make sure the time on your Exchange servers and TMG/Exchange Edge is perfectly in sync
  • DNS – Mis-configuring DNS is a very common mistake in ISA/TMG deployments. There are many schools of thought here, but regardless of which one you follow, it is important to note that DNS entries are not NIC specific so make sure you assign a DNS server to either the internal OR external NIC. Your TMG/Exchange Edge server must be able to resolve names internally either through DNS or host entries
  • Workgroup – Since we will be installing Exchange Server Edge, our TMG server will NOT be a domain member. It is important to put sufficient thought into how you will configure authentication for both reverse and forward proxy since AD authentication will not work
  • Primary DNS suffix – The TMG/Exchange Edge will need it’s Primary DNS suffix manually set as it will not be a part of the domain