Integrating Exchange 2010 Edge Transport with Forefront Threat Management Gateway (TMG) 2010

Introduction

One of the hallmarks of the Forefront Threat Management Gateway (TMG) 2010 edge security solution is its tight integration with Microsoft infrastructure and applications. One of the most popular workloads to protect with and provide secure remote access to is the Microsoft Exchange Server. Forefront TMG 2010 supports publishing Outlook Web App (OWA), Exchange ActiveSync (EAS), and Outlook Anywhere (OA) for Exchange 2010 back to Exchange 2000. Of course TMG can also publish client-to-server mail protocols such as IMAP, POP3, and SMTP. TMG also includes support for the Exchange 2007 and 2010 Edge Transport role. In this configuration, the Edge Transport role is installed on the same server as TMG and serves as a consolidated edge security and SMTP gateway solution.

Pros and Cons

Before we proceed with installing and configuring Exchange Edge Transport integration with TMG, it’s important to understand the advantages and disadvantages associated with consolidating the Exchange Edge Transport role with the Forefront TMG 2010 firewall.

Pros:

  • Installing the Exchange Edge Transport role on the TMG server allows for the consolidation of edge security services. In this configuration, TMG provides essential edge security protection, while at the same time serving as an integrated SMTP gateway for Exchange.
  • When the Exchange Edge Transport role is installed on a TMG Enterprise array configured with integrated Network Load Balancing (NLB), high availability is also provided for the Exchange Edge Transport role.

Cons:

  • Integrating the Exchange Edge Transport role complicates the configuration of the Forefront TMG 2010 firewall, making troubleshooting and support more difficult. In addition, the installation of the Exchange Edge Transport role increases the attack surface on the TMG firewall.
  • The Exchange Edge Transport role consumes resources on the TMG firewall (CPU, memory, disk space) and must also be updated on a regular basis along with the rest of the Exchange infrastructure. This increase in servicing requirements could translate in to additional downtime for the solution.

Installing Exchange Edge Transport

To install the Exchange Edge Transport role on the Forefront TMG 2010 server, navigate to the Exchange installation media (DVD, file share, etc.) and run setup.exe. Choose a language option to install, and then click Install Microsoft Exchange. Click Next on the introduction page, accept the license agreement, choose whether or not to participate in error reporting, and then select Custom Exchange Server Installation and click Next.

Image
Figure 1

Select the option to install the Edge Transport Role only.

Image
Figure 2

After deciding to participate in the Customer Experience Improvement Plan, the installation wizard will perform some readiness checks. Once complete, click Install.

Image
Figure 3

Once the installation finishes, deselect the option to Finalize this installation using the Exchange Management Console and click Finish. The Exchange Edge Transport Role will be managed exclusively using the Forefront TMG 2010 management console going forward.

Image
Figure 4

After the installation is complete, reboot the TMG firewall.

Image
Figure 5

Important Note:
After installing the Exchange Edge Transport role on the TMG firewall, be sure to install the same service packs and hotfix rollups that are currently running on your Exchange infrastructure.

Configuring Exchange Edge Transport

After rebooting the firewall, open the Forefront TMG 2010 management console, highlight the E-Mail Policy node in the navigation tree, and then click Configure E-Mail Policy in the Tasks pane. Choose Next, and then click Add to add any internal mail servers in your organization. Once complete, configure any Accepted authoritative domains.

Image
Figure 6

Select the TMG network where traffic to and from the internal mail servers will be accepted. This is most commonly the Internal network, unless you have configured your Exchange servers on a TMG perimeter network. If you have configured multiple IP addresses, you can optionally choose a specific IP address to assign the listener to.

Image
Figure 7

Select the TMG network where traffic will be received from the public Internet and specify the FQDN or IP address that the e-mail listener will use in response to SMTP session initiation messages (HELO, EHLO).

Image
Figure 8

Select the option to Enable connectivity for EdgeSync traffic. In addition, deselect the option to Enable spam filtering and Enable virus and content filtering. These two options require the installation of Forefront Protection for Exchange, which is outside the scope of this article.

Image
Figure 9

Review the configuration settings and click Finish. When prompted to enable the system policy rule to allow SMTP traffic, click Yes, then save and apply the configuration.

Image
Figure 10

Next, click the Generate Edge Subscription Files link in the Tasks pane and save the configuration file to a location accessible by the Exchange server running the Hub Transport role.

Configure Edge Subscription

In the Exchange Management Console on the Exchange server, expand Organization Configuration, highlight Hub Transport, and then click New Edge Subscription in the Actions pane.

Image
Figure 11

Select the name of the Active Directory site that the Edge Transport server will subscribe to, supply the location of the file generated previously on the TMG firewall, and then click New.

Image
Figure 12

To verify that the receive connectors were created correctly, expand the Server Configuration node and highlight Hub Transport

Image
Figure 13

E-mail should now be flowing properly through the Forefront TMG 2010 firewall using SMTP. To verify this, test with a valid e-mail account using an e-mail client. Optionally you can use the very helpful Microsoft Remote Connectivity Analyzer web site. Select Internet Email Tests and choose Inbound SMTP Email. If everything is configured correctly, the rest should provide successful results.

Image
Figure 14

Troubleshooting with PowerShell

If e-mail is not flowing, there are some PowerShell commands that can be helpful in troubleshooting. To verify that send connectors were created correctly, open the Exchange Management Shell and issue the following command:

Get-SendConnector

You should see two send connectors configured for EdgeSync.

Image
Figure 15

In addition, you may also need to initiate edge synchronization with Edge Transport running on the TMG firewall by issuing the following PowerShell command:

Start-EdgeSynchronization

Image
Figure 16

Summary

Tight integration with Windows workloads is a common theme with the Forefront TMG 2010 firewall. Microsoft Exchange is one of the most popular applications being protected with TMG, and the new Edge Transport role integration is a powerful new feature that enables integrated edge security and SMTP gateway functionality in a single solution. Installing and configuring Exchange Edge Transport on The TMG firewall is simple and straightforward, and it allows you to manage all of your edge security and SMTP gateway functionality with a single management console. All of this comes with a price, however. Integrated Exchange Edge Transport does make the solution more complex, which might lead to troubleshooting and/or support difficulties in the future.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top