Utilizing Microsoft mail protection technologies
Forefront TMG leverages the capabilities of the Exchange Edge Transport Server role and Forefront Protection 2010 for Exchange Server (FPES) to provide mail relay and anti-spam and antivirus protection. These two technologies include a variety of anti-spam and antivirus features that are designed to work cumulatively, to reduce the spam that enters and exits your organization.
When deploying the e-mail protection feature in Forefront TMG, you install Exchange Edge and FPES on the Forefront TMG computer. While these products can be installed independently on separate computers, installing them on Forefront TMG and implementing the e-mail protection feature provides a number of benefits, which are described in Benefits of creating an e-mail policy with Forefront TMG.
Because spammers or malicious senders use a variety of techniques, Forefront TMG implements a layered and multifaceted approach to reducing spam and viruses. The layered approach to reducing spam refers to the configuration of several anti-spam and antivirus features that filter inbound messages in a specific order. Each feature filters for a specific characteristic or set of related characteristics on the inbound message.
Benefits of creating an e-mail policy with Forefront TMG
There are a number of advantages to implementing e-mail protection with Forefront TMG:
- Protection on the edge—The Forefront TMG e-mail protection feature inspects mail traffic at the edge (the point of entry into an enterprise’s core networks), as opposed to scanning messages for viruses and other malware further along the mail flow path, thus saving processing resources, bandwidth, and storage.
- Integrated management—When you create an e-mail policy using Forefront TMG, you configure the settings in the Forefront TMG Management console, and then Forefront TMG applies your configuration to Exchange Edge and FPES. When using this integrated management solution, you do not need to open the management consoles of Exchange Edge or FPES (in fact, you should not open them except for troubleshooting requirements). Implementing e-mail protection consequently does not require expertise in Exchange Edge and FPES.
- Extended management—Forefront TMG allows you to deploy multiple servers in an array, and manage those servers from a single interface. This is true for the e-mail protection feature, which is a benefit not available to other Exchange and FPES deployments. When you configure an e-mail policy with Forefront TMG, the configuration settings are stored for the entire array. Configuring e-mail policy is done once only, after which all array members receive the configuration when they synchronize with the configuration storage.
- Native support for Network Load Balancing (NLB)—Using NLB and a virtual IP address, you can deploy more Forefront TMG servers at a single point of entry, thereby processing more mail traffic. Similarly, by deploying multiple Forefront TMG servers, each running Exchange Edge and FPES, you can more easily maintain a highly available and protected mail delivery service for your organization.
Forefront TMG enables you to protect your organization from spam, viruses and other e-mail-based threats. It does this by leveraging the mail protection provided by Forefront Protection 2010 for Exchange Server (FPES), and by utilizing the end-to-end mail relay service provided by Exchange Edge Transport server.
These protection technologies are not included in the default Forefront TMG installation; you must install them separately on each Forefront TMG array member.
The supported versions are:
- Exchange Server 2007 SP2, and Exchange Server 2010.
- Forefront Protection 2010 for Exchange Server.
Exchange Server Edge Transport role
So first Step is to install Active Directory Lightweight Directory Services
Installing the Exchange Server Edge Transport role
we have to configure DNS suffix to a Forefront TMG computer
and we restart
now we are ready to install exchange edge
if you did not install exchange edge before it’s a straight forward process
we choose custom
and Edge installation finished
Forefront protection for exchange
next we install forefront protection for exchange
agree and next
agree to restart the service and next
I prefer to enable the antispam from the TMG so lets leave it disabled for now
and we done
next step is to install TMG
“for full TMG installing experience please refer to my Posts in TMG category “
we start by running prep tool
we start TMG installation
and We done
now we start the basic configurations to enable the Mail protection
now we have to wait until NIS finish update (wait until it become green )
we navigate to the email policy and start configure email policy
now we set the mail flow options first we set the internal server and the domain name that we are authoritative of
we Set the Mail listener (the internal and external interfaces)
now this is an important one do we need our edge server to be Smart-host or make edge sync with internal exchange server both have benefits but personally I prefer smart host option
so to make is smart host just keep the last check box unchecked
and the policy completed you will get this massage
the TMG need to create system policy to your internal server
almost every options are configured for you without additional configuration , all but content filtering
do not go below 6 in content filtering or most the emails will blocked
the rest of the option is self-explanatory
Note: if you are using HTTPs inspection you have to exclude cloud mark servers from the inspection because it uses self-signed certificate so TMG will block it by default
to do so go to
click add and add domain set with
cloudmark.com and *.cloudmark.com in it
and ok your way out
ISP redundancy does not support e-mail protection
Issue: When e-mail protection using Forefront Protection for Exchange (FPE) is used in Forefront TMG, the e-mail traffic will not fail over to an alternate ISP link even if the ISP redundancy functionality is configured in Forefront TMG.
Cause: The ISP redundancy feature requires a NAT relationship with the external network in order to fail over the connection to an alternate ISP. SMTP listeners on the external NIC cannot take advantage of the ISP redundancy functionality as there is no address translation in mail traffic.
RPC over HTTP traffic inspection limitations
Issue: RPC over HTTP traffic encrypts the RPC data in HTTP and is not inspected by the RPC filter.
Cause: The RPC filter cannot inspect RPC over HTTP traffic because:
- Forefront TMG application filters cannot be chained to each other and Web filters cannot pass traffic to application filters.
- The RPC filter expects RPC communications to begin on the RPC endpoint mapper (TCP:135), and so it cannot protect against RPC exploits reaching an Exchange server.