Installing and Configuring the Email Hygiene Solution on the TMG 2010 Firewall – Part 5: Configuring Edge Subscription and Testing

If you would like to read the other parts in this article series please go to:

Introduction

It has been a long road, but we are getting close to the end of our journey through the TMG firewall’s email hygiene feature. In the previous articles in this series, we went through the process of installing TMG, then installing the Exchange Edge component, then enabling the email hygiene feature that included Forefront Protection for Exchange. Everything went pretty smoothly and there weren’t too many bumps on the road.

In this article, which I promise will be the last article in the series, we will look at how to configure the Edge Subscription feature. Edge Subscription is a very useful feature, because it allows you to block mail destined for users who are not in your Exchange organization. This is a very valuable tool, because if you look at your spam statistics, you will see that the overwhelming majority of spam is addressed to users who do not actually exist in your organization. Blocking these “address mining” emails can go a long way towards improving the overall performance of your Exchange Server.

Finally, we will also test our configuration and try to see whether the entire configuration process we went through actually works. I have set up a basic Exchange Server 2010 behind the TMG firewall. What we will do is try to send some spam from an Internet host through the TMG firewall and then we’ll try to send some spam outbound through the TMG firewall.

But first, let’s create our Exchange Edge Subscription file and configure the subscription on the Exchange mailbox server.

Creating the Edge Subscription File and Configuring the Edge Subscription

The first thing you should know is that you do not have to create an edge subscription. However, it makes your email hygiene solution much more effective. It improves the anti-spam features, enables recipient lookup so that mail sent to non-users is rejected, and enables safelist aggregation. Information about users in your Active Directory forest is sent to an Active Directory LDS database on the TMG firewall over a secure LDAP connection. In addition, the Safe Senders lists and recipient information is hashed so that it can’t be intercepted on the wire.

Information that is transferred between the Active Directory to the TMG Active Directory LDS database includes:

  • Edge subscription information
  • Configuration information
  • Recipient information
  • Topology information

The EdgeSync services use a secure LDAP connection over TCP port 50636 to sync the directory information between the Exchange Hub Server and the TMG firewall’s Exchange Edge server.

With that bit of background in place, let’s create the Edge Subscription File. In the TMG firewall console, click the E-Mail Policy node in the left pane of the console. In the right pane of the console, click the Generate Edge SubscriptionFiles, as seen in the figure below.


Figure 1

This brings up the Browse For Folder dialog box. Let’s make a new folder called SubFiles, using the Make New Folder button. Click OK after creating the new folder on the C: drive.


Figure 2

It things work the way they should, you should see a dialog box that says 1 Edge Subscription file(s) were created in directory C:\SubFiles., as seen in the figure below.        


Figure 3

If you open the file, you will see something like what appears in the figure below. You can see that the file is stored in clear text, so you need to make sure that after you import these settings into the Hub Transport Server, you delete the file immediately. Failure to do so might lead to some headaches if an intruder manages to access that file. You also need to be aware that the subscription file is only good for 24 hours. If you don’t use it before the timeout, you will need to generate another request.


Figure 4

Now copy the file to the Exchange Hub server. Since I only have a single Exchange Server in my test network, I’m going to copy it to that one. At the Exchange Server, open the Exchange Management Console and expand the Organization Configuration node in the left pane of the console. Click on the Hub Transport node as seen in the figure below.


Figure 5

In the right pane of the console, click the New Edge Subscription link, as seen in the figure below.


Figure 6

This brings up the New Edge Subscription page. Click the Browse button in the Active Directory site section on the page. This will display the Select Active Directory Site dialog box (not shown here).  Select Default-Site-Site-Name and click OK.

Click the Browse button in the Subscription file section and find the file you generated at the TMG firewall. In this example, I copied the file to a folder named Subfiles on the C: drive of the Exchange Server. Put a checkbox in the Automatically create a Send connector for this Edge Subscriptioncheckbox and click New.


Figure 7

After the wizard completes, you will see something like what appears in the figure below. Note that there is a warning:

EdgeSync requires that the Hub Transport servers in Active Directory site msfirewall.org/Configuration/Sites/Default-First-Site-Name be able to resolve the IP address for TMG2010.msfirewall.org, and be able to connect to that host on port 50636

We always make a big deal over name resolution here, and this is just another example of how important DNS is to any TMG firewall scenario.


Figure 8

Examining System Policy Supporting Email Communications

When you configure the TMG firewall as an email security gateway, it automatically configures some settings in System Policy. In the figure below, you can see that there are three System Policy Rules created to allow SMTP communications:

  • Allow SMTP from Forefront TMG to trusted servers
  • Allow SMTP traffic to the local host for mail protection and filtering
  • Allow SMTP traffic to the Internet for mail protection and filtering


Figure 9

When you enable EdgeSync traffic, you can see that a System Policy Rule is created to allow the EdgeSync traffic. This is the Allow LDAP/LDAPS traffic to the local host for the Exchange Server EdgeSync Protocol. In the figure below, you see that the Protocol Definition allows TCP port 50636 outbound.


Figure 10

Now what happens if we send a clean email message through the TMG firewall? Here’s a log file entry of such a message:

TCP2/28/2010 8:57:43 AM            10.0.0.1                10.0.0.3                25           SMTP    Closed Connection Inspected [System] Allow SMTP from Forefront TMG to trusted servers      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN   Local Host              Internal                –              TMG2010RTMB –              Firewall                               

I’ve highlighted the fact that this connection was exposed by the Network Inspection System. The SMTP filter is no longer used in TMG when using the integrated email protection features. Instead, you benefit from NIS, Exchange Edge and Forefront Protection for Exchange (FPE). The end result is a much more secure email protection configuration than you could get with just the SMTP filter.

The next test was to send some malware to the Exchange Server through the TMG firewall. For this test, I used the eicar test file that you can download from here. This is a harmless test file that all AV engines will detect as malware. I found that the log files weren’t very interesting regardless of the processing of the test file, as you can see in the figure below.


Figure 11

In fact, I could find no information regarding SMTP logs. I checked TechNet, and there is a comprehensive article on how the email protection feature works over here, but there is no mention of how to find logging information for detected malware. In addition, the FPE interface is not exposed when you install the email protection feature on TMG, so you can’t check the detected malware information there.

However, if you check the email message, you will see that TMG did what it was supposed to do.


Figure 12

If you open the eicar_com.zip.txt file, you’ll see the following:


Figure 13

Admittedly, that is not very interesting, but remember that you can customize this message a bit by enabling the notifications feature, as seen in the figure below.


Figure 14

Summary

In this last article in our series on the TMG firewall’s email protection feature, we configured the EdgeSync feature by creating a file on the TMG firewall and then we used that file to automatically configure the Exchange Hub server to receive and send mail from and to the TMG firewall. We then configured an email client to use the TMG server as its email server to test whether the AV feature worked correctly. We used the eicar test file as a simulated virus. The TMG firewall was able to block the virus from reaching the user’s mailbox and included a text file, which reported that the attachment had been removed. One thing that we found missing was any level of logging or reporting on the malware detection. I expected it to be part of the FPE feature, but the FPE integration in the RTM version of the TMG firewall removed access to the FPE console. I look forward to Microsoft fixing this issue with a future service pack.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top