Installing and Configuring the E-mail Hygiene Solution on the TMG 2010 Firewall – Part 2: E-Mail Policy

If you would like to read the other parts in this article series please go to:

• Installing and Configuring the Email Hygiene Solution on the TMG 2010 Firewall – Part 1: Installation
• Installing and Configuring the Email Hygiene Solution on the TMG 2010 Firewall – Part 3: Configuring Antispam Policy
• Installing and Configuring the Email Hygiene Solution on the TMG 2010 Firewall – Part 4: Configuring Virus and Content Filtering
• Installing and Configuring the Email Hygiene Solution on the TMG 2010 Firewall – Part 5: Configuring Edge Subscription and Testing

Introduction

In the first part of this series on the TMG firewall’s email hygiene solution, we went over the installation process required to make the TMG firewall an email gateway. Now that the email gateway components are installed, we can take a look at how to configure the email protection policy. We’ll start with enabling E-Mail Policy. This turns on the basic E-Mail protection features included with the TMG Email Gateway solution. After turning on email protection, you’ll have a working anti-spam and anti-malware solution right away. However, as you will see in subsequent articles in this series, you have quite a few options that you can customize so that email protection will meet the specific requirements for your organization.

As a reminder, TMG uses a two-pronged approach to email protection:

• Forefront Protection for Exchange 2010 – FPE is a anti-spam and anti-malware application, and also performs content filtering

• Exchange Edge Server – Exchange Edge Server can perform anti-spam and connection filtering duties

The combination of Exchange Edge Server and Forefront Protection for Exchange is what makes the TMG firewall such a power weapon in your arsenal against spam and email borne malware.

Let’s get started! There is a lot of material to cover.

Enabling Email Protection

Open the TMG firewall console and expand the computer name in the left pane of the console. There you will see a brand new node that wasn’t included in previous versions of the firewall – the E-Mail Policy node. Click on the E-Mail Policy node shown in Figure 1.

Figure 1

After clicking on the E-Mail Policy node, you’ll see three tabs in the middle pane:

• E-Mail Policy. Here you’ll configure settings to get email protection enabled.

• Spam Filtering. Here you’ll configure the anti-spam settings after email protection is enabled.

• Virus and Content Filtering. Here you’ll configure the anti-malware and content filtering settings for email protection.

Let’s get email protection started by clicking the Configure E-Mail Policy link as seen in Figure 2 below.

Figure 2

This starts the Welcome to the E-Mail Policy Wizard page shown in Figure 3. Click Next.

Figure 3

The next page is the Internal Mail Server Configuration page shown in Figure 4. Here you need to tell the TMG firewall the name and IP address of your internal SMTP server; this is the SMTP server on your internal network that is configured to accept incoming email from the Internet. It is also the internal SMTP server that will send outbound email to the Internet.

Click the Add button next to the Internal mail servers section. This brings up the Computer dialog box. Enter the name of the SMTP server and the IP address of the server. Alternatively, you can use the Browse button to find the server and the IP address and name will be entered for you. Note that you can have multiple mail servers on the Internal network for which you want to accept incoming mail.

Click OK.

Figure 4

Now click the second Add button, which is next to the Accepted authoritative domains section. This brings up the Add Authoritative Domain dialog box shown in Figure 5. Enter the name of a domain for which you want to accept incoming email. If you have multiple email domains for which you want to accept email, then click the Add button again and add another domain.

Note:
Any email that’s sent to your organization through the TMG firewall that does not have a destination email domain in the list will be rejected. This prevents your organization from acting as an open SMTP relay that can be exploited by spammers.

Figure 5

Click Next on the Internal Mail Server Configuration page, as shown in Figure 6.

Figure 6

On the Internal E-Mail Listener Configuration page, shown in Figure 7, select the Network from which you want to accept outbound mail. If you have multiple IP addresses on that NIC, you can click the Select Addresses button and select a specific IP address that you want to accept the outbound mail from your internal SMTP server.

Click Next.

Figure 7

On the External E-Mail Listener Configuration page, shown in Figure 8, put a checkmark in the checkbox for the Network on which you want to accept incoming email. In most cases, this is going to be the External Network. If you have multiple IP addresses on that interface, you can click the Select Addresses button and select a specific IP address at which you want to accept the incoming mail. In the FQDN or IP address text box on this page, enter the Fully Qualified Domain Name that you want the TMG firewall to use as a response to SMTP session initiation messages, such as HELO or EHLO. Make sure the reverse DNS record for this name resolves to the correct IP address, which is the address on which the incoming mail is being received.

Click Next.

Figure 8

Email Policy Options

On the E-Mail Policy Configuration page, shown in Figure 9, you can enable the following options:

• Spam filtering: This turns on Forefront Protection for Exchange antispam technology and uses multiple methods of anti-spam filtering to protect your organization from spam. It also takes advantage of anti-spam technology built into Exchange Edge Server.

• Virus and content filtering: This turns on Forefront Protection for Exchange anti-virus protection, and uses multiple anti-virus engines to protect you from email borne malware; in addition, it can perform content filtering so that key words and phrases can be detected to block inappropriate content.

• Connectivityfor EdgeSync traffic: You can subscribe to the Exchange Edge component on the TMG firewall with your Exchange organization. This allows you to do recipient filtering, so that mail addressed to users that are not in your organization will be rejected at the email gateway.

For the strongest protection, put checkmarks in each of these boxes and click Next.

Figure 9

If you select the Enable connectivity for EdgeSync traffic, you have more work to do. There are two steps that you’ll need to take and we’ll see how to do those in this article. The help file entries for the two steps – To create an Edge Subscription file and Using the Exchange Management Console to import the Edge Subscription file– are seen in Figures 10 and 11 below.

Figure 10

Figure 11

Click Finish on the last page of the Completing the E-Mail Policy Wizard page, shown in Figure 12.

Figure 12

A Microsoft Forefront Threat Management Gateway dialog box like the one shown in Figure 13 will appear next, asking if you want to enable System Policy Rules required for receiving and forwarding SMTP traffic. Yes, we want to do that, so click Yes.

Figure 13

Configuring Email Policy

At this point, we are ready to examine and configure email policy. Now you can click the Apply button to save your configuration, or you can wait until you are done. It is up to you. I like to click Apply more often than not, because I do not want to lose the configuration changes I have made in the event that the console hangs up. While I have not had any problems with the console hanging up with the TMG firewall, you never know when something bad might happen – and it is always better to be safe than sorry.

You can now see, in the middle pane of the console on the E-Mail Policy tab, the following settings:

• Email Policy: Enabled

• Spam Filtering: Enabled

• Virus and Content Filtering: Enabled

• Edge Subscription: Enabled

• Protection Manager Integration: Disabled

• E-Mail Policy Integration Mode: Enabled

Note that Forefront Protection Manager (formerly known as “Stirling”) can not be configured at this time because Forefront Protection Manger is in a state of flux. We will revisit this issue when FPM is more stable and the product group has a better idea of how it’s going to end up.

For now, double click the External_Mail_Servers entry, as seen in Figure 14 below.

Figure 14

This opens the External_Mail_Servers Properties dialog box, shown in Figure 15, where you can make updates to the External Mail Server settings. On the Listener tab, you can see the Networks and FQDN settings you made in the wizard.

Figure 15

If you click the E-Mail Policy link in the top of the middle pane (“Enabled” in Figure 14), you will see the E-Mail Policy dialog box that is shown in Figure 16. Here you can enable or disable Email Policy and protection. You will see similar options for the other links in the top section of the middle pane when you are in the E-Mail Policy tab.

Figure 16

At this point, you have a working configuration and now you can configure your MX records to send mail to the TMG firewall’s external interface. The default settings will work fine and will provide a high level of protection. However, as I mentioned earlier, you can customize the configuration to a major extent, and we will look at those customization options in subsequent articles in this series.

Troubleshooting

If you find that incoming mail is not reaching the TMG firewall after you make the changes to your MX records, consider some of the following issues in your troubleshooting approach:

• Check the TTL on your current MX record, and also the A record that the MX record is pointing to – this will let you know how fast your changes will “propagate” over the Internet.

• If there is a firewall or NAT device in front of the TMG firewall, make sure that it is forwarding incoming TCP port 25 messages to the IP address that you configured when you ran the wizard for the incoming email IP address

• If you have problems with outgoing mail, make sure that you’ve configure your SMTP server to use the TMG firewall as a “smart host” or configured the Exchange 2007/2010 connectors to use the TMG firewall for outbound connections.

• Check the Services console on the TMG firewall to make sure that all the TMG firewall services, as well as the Exchange and Forefront Protection for Exchange services have started.

Summary

In this, Part 2 of our series on TMG firewall’s email hygiene solution, we went over the procedures required to get the Email Protection components up and running. We configured the incoming SMTP listener, which is used to accept incoming mail, and we configure the outgoing SMTP listener, which is used to send outbound mail. We also enabled the Forefront Protection for Exchange and the Exchange Edge components so that anti-spam and anti-virus protection is enabled.

In the next article in this series, we will go into deeper detail about the spam filtering configuration on the TMG firewall. There are a number of configuration options that we will discuss in that article, including anti-spam features such as IP allow lists, IP allow list providers, IP block lists, IP block list providers, content filtering, recipient filtering, sending filtering, sender ID configuration and sender reputation configuration. I want to make it a fun and informative one, so do not miss it! See you next week. –Deb.