Exchange Server 2010 Edge Server and Microsoft Threat Management Gateway


When you have an Exchange Server 2010 environment you can use the Edge Transport Server, typically located in the Demilitarized Zone (DMZ) or perimeter network for hygiene purposes. By default the Edge Transport Server has the anti-spam functionality enabled, and when Forefront Protection for Exchange is installed the Edge Transport Server also performs the anti-virus functionality.

Email from the Internet is received by the Edge Transport Servers, spam messages and messages containing viruses are cleaned up and the results are sent to the Hub Transport Server, located in the internal network and domain.

The Client Access Server give E-mail clients access to their mailbox and the Client Access Server is located on the internal network. Locating the Client Access Server is not supported. For more information regarding the CAS server and the DMZ visit the Exchange Team Site.

You can use a Microsoft ISA Server 2006 in the DMZ, and the ISA Server ‘publishes’ the Exchange Services like OWA, Outlook Anywhere or ActiveSync. It is not possible to combine the ISA Server and the Edge Transport Server on one server, let alone combine them with the Forefront Protection for Exchange.

Threat Management Gateway (TMG)

The Forefront Threat Management Gateway (TMG) 2010 is the successor of ISA Server 2006 and TMG contains a lot of new features that are interesting for Exchange administrators. One of the things is that you can install the Edge Server, TMG and Forefront Protection for Exchange on one (physical) server.

Figure 1: The Edge Server, TMG and Forefront Protection for Exchange on one Server

The advantage of this solution is of course that you will need only one server. This will save you an additional Windows license, but do not forget the cost of the server itself, the power and cooling that are needed.

To install this combination of Edge Server, Forefront Protection for Exchange and Threat Management Gateway, follow this order:

  1. Install Windows Server 2008 R2
  2. Install Active Directory Lightweight Directory Services (LDS)
  3. Install Exchange 2010 Edge Transport Server
  4. Install Forefront Protection for Exchange
  5. Install Forefront Threat Management Gateway

Windows Server 2008 R2

The first step is to install Windows Server 2008 R2. This is an X64 server which of course is needed for Exchange Server 2010. But the TMG is also an X64 application, where the old ISA server was a 32-bit application.

Install Windows Server 2008 R2, make sure that the server is connected to both the internal as well as the external network. After installation configure the network, the internal and the external name resolution have to be correct. Bring the server up to date with the latest hot fixes.

Install Active Directory Lightweight Directory Services

After installing Windows Server 2008 R2 the Active Directory Lightweight Directory Services (LDS) need to be installed. Logon to the server and open the Server Manager. Select Roles in the Navigation Pane and in the Results Pane select “Add Roles”. In the “Select Roles” wizard select the Active Directory Lightweight Directory Services.  Add the required features (.NET Framework 3.5.1) as well. Finish the wizard and install the LDS.

Install Edge Transport Server

To install the prerequisite software for the Exchange Server 2010 Edge Transport Server open a command prompt and navigate to the \Scripts directory on the installation media. Enter the following command:

ServerManagerCmd.exe –InputPath Exchange-Edge.XML

An error message pops up saying that the ServerManagerCmd is deprecated. Although true, do not pay too much attention to the error message at this point. When the prerequisite software is installed reboot the server as requested.

Install the Edge Transport Server; this can be done using the graphical User Interface or the unattended setup program. The Management Tools will be automatically installed.

After the installation of the Edge Server it is time to configure the EdgeSync Service. The EdgeSync Service is responsible for synchronizing information from the Hub Transport Server to the Edge Transport Server. To configure an Edge Synchronization logon to the Edge Transport Server, open an Exchange Management Shell and enter the following command:

New-EdgeSubscription –FileName C:\Edge-TMG.XML

Copy the Edge-TMG.XML file to the internal Hub Transport Server and import it there. After importing the Edge Synchronization can be started. To achieve this logon to the Hub Transport Server, open an Exchange Management Shell and enter the following commands:

$Temp = Get-Content -Path “C:\Edge-TMG.xml” -Encoding Byte -ReadCount 0

New-EdgeSubscription -FileData $Temp -Site “Default-First-Site”


Make sure that after the Start-EdgeSynchronization command the results are successful. This is shown on the console:

Figure 2: The Edge Synchronization is successfully started.

When you have successfully setup the Edge Synchronization it is a good time to test the SMTP functionality and see if you can send and receive messages from your Exchange Server 2010 mailbox to and from the Internet. If successful continue with the next steps.

Install Forefront Protection for Exchange (FPE)

When you start the graphical setup of Exchange Server 2010 you are presented with a splash screen. The last option, under Enhance, is “Install Microsoft Forefront Protection 2010 for Exchange Server”.

Figure 3: The setup application splash screen

When you select this option you are redirected to the Microsoft website where you can download FPE. After downloading start the ForefrontExchangeSetup.exe application. Follow the setup wizard to install Forefront Protection for Exchange. In the Anti spam Configuration page select “Enable anti-spam” later.

After installation, do not check the “Launch the Forefront Online Protection for Exchange Gateway installation program”. Click Finish to end the installation program.

When you start the Forefront Administrator Console an Evaluation License Notice is shown. You can Activate Forefront immediately, but there’s a 120 day trial period.

In the Administrator Console you will see that the scanning engines are not updated immediately.

Figure 4: The Engines are not updated immediately

After some time (15 minutes in my test environment) you will notice that the engines are updated and the yellow exclamation mark will change into the green checkmark.

Install Forefront Threat Management Gateway

The last and most interesting step is to install the Threat Management Gateway (TMG) into the recently installed Edge Transport Server. Navigate to the installation media and start the setup application. A splash screen is shown:

Figure 5: The TMG (standard edition) splash screen

Select “Run Preparation Tool” in the splash screen to install the TMG prerequisite software. Follow the Forefront TMG Preparation Tool wizard. Select the “Forefront TMG Services and Management” option to install both the software and the management tools.

Figure 6: Select “Forefront TMG services and Management” to install the software and the management tools

The prerequisite software will be automatically installed and when finished you have the option to start the Forefront TMG Installation wizard automatically.

Figure 7: Start the Forefront TMG installation wizard

Click Finish and the installation wizard will be started automatically. Follow the wizard, accept the license agreement and enter your user name, company name and serial number. Continue the wizard until you get to the internal network option. In my test environment I have two networks. A public network that’s connected to the Internet and a private, internal network. The Exchange Servers are connected to this network.

Figure 8: Select the internal (private) network

Click Next to continue the setup wizard and install TMG on the server. The installation can take some time.

Figure 9: Approx. 19 minutes to install TMG on our Edge Server

When the setup program is finished, click Finish. If you want you can check the “Launch Forefront TMG Management when the wizard closes” and the management console will be started automatically.

Figure 10

The TMG Server is now installed on top of the Edge Transport Server. Although the internal Hub Transport Server was working with the Edge Transport Server it now stopped working. This is because the TMG Server is a firewall as well and need to be configured to get all functionality.

In the next article I will explain the various settings of the Edge Server, Forefront Protection for Exchange and Threat Management Gateway combination.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top