Ahmed Hussein Online

Utilizing Microsoft mail protection technologies

Forefront TMG leverages the capabilities of the Exchange Edge Transport Server role and Forefront Protection 2010 for Exchange Server (FPES) to provide mail relay and anti-spam and antivirus protection. These two technologies include a variety of anti-spam and antivirus features that are designed to work cumulatively, to reduce the spam that enters and exits your organization.

When deploying the e-mail protection feature in Forefront TMG, you install Exchange Edge and FPES on the Forefront TMG computer. While these products can be installed independently on separate computers, installing them on Forefront TMG and implementing the e-mail protection feature provides a number of benefits, which are described in Benefits of creating an e-mail policy with Forefront TMG.

Layered protection

Because spammers or malicious senders use a variety of techniques, Forefront TMG implements a layered and multifaceted approach to reducing spam and viruses. The layered approach to reducing spam refers to the configuration of several anti-spam and antivirus features that filter inbound messages in a specific order. Each feature filters for a specific characteristic or set of related characteristics on the inbound message.

Benefits of creating an e-mail policy with Forefront TMG

There are a number of advantages to implementing e-mail protection with Forefront TMG:

• Protection on the edge—The Forefront TMG e-mail protection feature inspects mail traffic at the edge (the point of entry into an enterprise’s core networks), as opposed to scanning messages for viruses and other malware further along the mail flow path, thus saving processing resources, bandwidth, and storage.
• Integrated management—When you create an e-mail policy using Forefront TMG, you configure the settings in the Forefront TMG Management console, and then Forefront TMG applies your configuration to Exchange Edge and FPES. When using this integrated management solution, you do not need to open the management consoles of Exchange Edge or FPES (in fact, you should not open them except for troubleshooting requirements). Implementing e-mail protection consequently does not require expertise in Exchange Edge and FPES.
• Extended management—Forefront TMG allows you to deploy multiple servers in an array, and manage those servers from a single interface. This is true for the e-mail protection feature, which is a benefit not available to other Exchange and FPES deployments. When you configure an e-mail policy with Forefront TMG, the configuration settings are stored for the entire array. Configuring e-mail policy is done once only, after which all array members receive the configuration when they synchronize with the configuration storage.
• Native support for Network Load Balancing (NLB)—Using NLB and a virtual IP address, you can deploy more Forefront TMG servers at a single point of entry, thereby processing more mail traffic. Similarly, by deploying multiple Forefront TMG servers, each running Exchange Edge and FPES, you can more easily maintain a highly available and protected mail delivery service for your organization.

Forefront TMG enables you to protect your organization from spam, viruses and other e-mail-based threats. It does this by leveraging the mail protection provided by Forefront Protection 2010 for Exchange Server (FPES), and by utilizing the end-to-end mail relay service provided by Exchange Edge Transport server.

These protection technologies are not included in the default Forefront TMG installation; you must install them separately on each Forefront TMG array member.

The supported versions are:

• Exchange Server 2007 SP2, and Exchange Server 2010.
• Forefront Protection 2010 for Exchange Server.

Exchange Server Edge Transport role

So first Step is to install  Active Directory Lightweight Directory Services

Installing the Exchange Server Edge Transport role

we have to configure DNS suffix to a Forefront TMG computer

and we restart

now we are ready to install exchange edge

if you did not install exchange edge before it’s a straight forward process

next

we choose custom

select Edge 

and Edge installation finished  

Forefront protection for exchange

next we install forefront protection for exchange

agree and next

agree to restart the service  and next

I prefer to enable the antispam from the TMG so lets leave it disabled for now

almost Done

and we done

next step is to install TMG

“for full TMG installing experience please refer to my Posts in TMG category “

we start by running prep tool

we start TMG installation

and We done  

now we start the basic configurations to enable the Mail protection

now we have to wait until NIS finish update (wait until it become green )

we navigate to the email policy and start configure email policy

now we set the mail flow options first we set the internal server and the domain name that we are authoritative of

we Set the Mail listener (the internal and external interfaces)

external

now this is an important one do we need our edge server to be Smart-host or make edge sync with internal exchange server both have benefits but personally I prefer smart host option

so to make is smart host just keep the last check box unchecked

and the policy completed  you will get this massage

the TMG need to create system policy to your internal server

almost every options are configured for you without additional configuration , all but content filtering

do not go below 6 in content filtering or most the emails will blocked

the rest of the option is self-explanatory

Note: if you are using HTTPs inspection you have to exclude cloud mark servers from the inspection because it uses self-signed certificate so TMG will block it by default

to do  so go to

cloudmark.com

Configure https

click add and add domain set  with

cloudmark.com and *.cloudmark.com in it

and ok your way out  

ISP redundancy does not support e-mail protection

Issue: When e-mail protection using Forefront Protection for Exchange (FPE) is used in Forefront TMG, the e-mail traffic will not fail over to an alternate ISP link even if the ISP redundancy functionality is configured in Forefront TMG.

Cause: The ISP redundancy feature requires a NAT relationship with the external network in order to fail over the connection to an alternate ISP. SMTP listeners on the external NIC cannot take advantage of the ISP redundancy functionality as there is no address translation in mail traffic.

RPC over HTTP traffic inspection limitations

Issue: RPC over HTTP traffic encrypts the RPC data in HTTP and is not inspected by the RPC filter.

Cause: The RPC filter cannot inspect RPC over HTTP traffic because:

• Forefront TMG application filters cannot be chained to each other and Web filters cannot pass traffic to application filters.
• The RPC filter expects RPC communications to begin on the RPC endpoint mapper (TCP:135), and so it cannot protect against RPC exploits reaching an Exchange server.

Source : http://technet.microsoft.com/en-us/library/ff355324.aspx

Related Posts

• Forefront protection for exchange 2010 Installation and design Step by Step
• Forefront Threat Management Gateway (TMG) :Part 2 (the installation)
• Forefront Threat Management Gateway (TMG) :Part 1 (the design)
• Understanding Performance Impact of Fast Trickling Option on TMG 2010
• Configuring TMG logging to a remote SQL server
• Forefront Threat Management Gateway (TMG) : Part 3 (the Configuration ) And best practices from the field
• TMG Setup for DPM Communication