Integrating Exchange 2010 Edge Transport with Forefront Threat Management Gateway (TMG) 2010
One of the hallmarks of the Forefront Threat Management Gateway (TMG) 2010 edge security solution is its tight integration with Microsoft infrastructure and applications. One of the most popular workloads to protect with and provide secure remote access to is the Microsoft Exchange Server. Forefront TMG 2010 supports publishing Outlook Web App (OWA), Exchange ActiveSync (EAS), and Outlook Anywhere (OA) for Exchange 2010 back to Exchange 2000. Of course TMG can also publish client-to-server mail protocols such as IMAP, POP3, and SMTP. TMG also includes support for the Exchange 2007 and 2010 Edge Transport role. In this configuration, the Edge Transport role is installed on the same server as TMG and serves as a consolidated edge security and SMTP gateway solution.
Pros and Cons
Before we proceed with installing and configuring Exchange Edge Transport integration with TMG, it’s important to understand the advantages and disadvantages associated with consolidating the Exchange Edge Transport role with the Forefront TMG 2010 firewall.
- Installing the Exchange Edge Transport role on the TMG server allows for the consolidation of edge security services. In this configuration, TMG provides essential edge security protection, while at the same time serving as an integrated SMTP gateway for Exchange.
- When the Exchange Edge Transport role is installed on a TMG Enterprise array configured with integrated Network Load Balancing (NLB), high availability is also provided for the Exchange Edge Transport role.
- Integrating the Exchange Edge Transport role complicates the configuration of the Forefront TMG 2010 firewall, making troubleshooting and support more difficult. In addition, the installation of the Exchange Edge Transport role increases the attack surface on the TMG firewall.
- The Exchange Edge Transport role consumes resources on the TMG firewall (CPU, memory, disk space) and must also be updated on a regular basis along with the rest of the Exchange infrastructure. This increase in servicing requirements could translate in to additional downtime for the solution.
Installing Exchange Edge Transport
To install the Exchange Edge Transport role on the Forefront TMG 2010 server, navigate to the Exchange installation media (DVD, file share, etc.) and run setup.exe. Choose a language option to install, and then click Install Microsoft Exchange. Click Next on the introduction page, accept the license agreement, choose whether or not to participate in error reporting, and then select Custom Exchange Server Installation and click Next.
Select the option to install the Edge Transport Role only.
After deciding to participate in the Customer Experience Improvement Plan, the installation wizard will perform some readiness checks. Once complete, click Install.
Once the installation finishes, deselect the option to Finalize this installation using the Exchange Management Console and click Finish. The Exchange Edge Transport Role will be managed exclusively using the Forefront TMG 2010 management console going forward.
After the installation is complete, reboot the TMG firewall.
After installing the Exchange Edge Transport role on the TMG firewall, be sure to install the same service packs and hotfix rollups that are currently running on your Exchange infrastructure.
Configuring Exchange Edge Transport
After rebooting the firewall, open the Forefront TMG 2010 management console, highlight the E-Mail Policy node in the navigation tree, and then click Configure E-Mail Policy in the Tasks pane. Choose Next, and then click Add to add any internal mail servers in your organization. Once complete, configure any Accepted authoritative domains.
Select the TMG network where traffic to and from the internal mail servers will be accepted. This is most commonly the Internal network, unless you have configured your Exchange servers on a TMG perimeter network. If you have configured multiple IP addresses, you can optionally choose a specific IP address to assign the listener to.
Select the TMG network where traffic will be received from the public Internet and specify the FQDN or IP address that the e-mail listener will use in response to SMTP session initiation messages (HELO, EHLO).
Select the option to Enable connectivity for EdgeSync traffic. In addition, deselect the option to Enable spam filtering and Enable virus and content filtering. These two options require the installation of Forefront Protection for Exchange, which is outside the scope of this article.
Review the configuration settings and click Finish. When prompted to enable the system policy rule to allow SMTP traffic, click Yes, then save and apply the configuration.
Next, click the Generate Edge Subscription Files link in the Tasks pane and save the configuration file to a location accessible by the Exchange server running the Hub Transport role.
Configure Edge Subscription
In the Exchange Management Console on the Exchange server, expand Organization Configuration, highlight Hub Transport, and then click New Edge Subscription in the Actions pane.
Select the name of the Active Directory site that the Edge Transport server will subscribe to, supply the location of the file generated previously on the TMG firewall, and then click New.
To verify that the receive connectors were created correctly, expand the Server Configuration node and highlight Hub Transport.
E-mail should now be flowing properly through the Forefront TMG 2010 firewall using SMTP. To verify this, test with a valid e-mail account using an e-mail client. Optionally you can use the very helpful Microsoft Remote Connectivity Analyzer web site. Select Internet Email Tests and choose Inbound SMTP Email. If everything is configured correctly, the rest should provide successful results.
Troubleshooting with PowerShell
If e-mail is not flowing, there are some PowerShell commands that can be helpful in troubleshooting. To verify that send connectors were created correctly, open the Exchange Management Shell and issue the following command:
You should see two send connectors configured for EdgeSync.
In addition, you may also need to initiate edge synchronization with Edge Transport running on the TMG firewall by issuing the following PowerShell command:
Tight integration with Windows workloads is a common theme with the Forefront TMG 2010 firewall. Microsoft Exchange is one of the most popular applications being protected with TMG, and the new Edge Transport role integration is a powerful new feature that enables integrated edge security and SMTP gateway functionality in a single solution. Installing and configuring Exchange Edge Transport on The TMG firewall is simple and straightforward, and it allows you to manage all of your edge security and SMTP gateway functionality with a single management console. All of this comes with a price, however. Integrated Exchange Edge Transport does make the solution more complex, which might lead to troubleshooting and/or support difficulties in the future.