Understanding E-Mail Protection on Forefront TMG
Authors
Yuri Diogenes
Sr Support Escalation Engineer – Forefront Edge CSS Team, Microsoft
Noam Ilovich
Program Manager – Forefront Edge, Microsoft
Technical Reviewers
Lior Alon
Sr Developer Lead – Forefront Edge, Microsoft
Bala Natarajan
Sr Support Escalation Engineer – Forefront Edge CSS Team, Microsoft
Microsoft Forefront TMG brings a new capability that allows firewall administrators to manage and deploy SMTP Policies from a single location using TMG Console. This solution is leveraging two other products to offer a great SMTP experience while maintain security throughout the SMTP traffic, which are: Microsoft Exchange Edge Transport and Microsoft Forefront Security for Exchange.
To take advantage of this feature you will need to install both Microsoft Exchange Edge Transport role and Forefront Security Server for Exchange in all TMG Servers (in case you have an array) either before or after TMG installation.
The purpose of this article is to clarify TMG underlying component hierarchy of Email protection, how the solution works underneath the hood and provide some Q&As to common scenarios.
Forefront Security for Exchange Release Candidate
TMG Beta 3 install DVD includes FSE beta2 install bits. You will not be able to upgrade to FSE Release Candidate version as there are a few breaking changes FSE introduced after TMG B3 was locked. You will be able to upgrade to FSE Release Candidate version with TMG RC.
SMTP Protection Components
The E-Mail Protection solution on Forefront TMG is composed by the following components
.gif "Ee338733.5327911f-031f-453c-83bc-f5e512fb91f3(en-us,TechNet.10).gif")
Figure 1 – E-mail Protection Components on TMG.
Notice that the first component in the stack is the TMG Filter Driver that runs in Kernel mode. This filter driver will intercept all requests prior to send to the other component that run in User Mode. Exchange Edge Transport components will initially process the message and perform the initial SPAM filtering and then pass the message to the Forefront Security Server for Exchange to perform the Virus scan. The table below describes in more details the component and which product is responsible to handle it:
| Component | Exchange | Forefront Security Server for Exchange |
|---|---|---|
SMTP Stack |
X |
|
Connection Filtering |
X |
X |
Sender Filtering |
X |
|
Recipient Filtering |
X |
|
Content Filtering (Smart Screen) |
X |
|
Message Body Filtering |
X |
|
Premium SPAM |
X |
|
File Filtering |
X |
|
Anti-Malware |
X |
Walkthrough an Incoming Message Processing
To demonstrate a typical E-Mail protection deployment scenario the following topology will be used:
.gif "Ee338733.98c95978-9842-4611-853a-81adc0a2d6a7(en-us,TechNet.10).gif")
Figure 2 – Using Forefront TMG to Protect SMTP Traffic.
The first step during a SMTP connection (after the three way handshake on port 25 has is completed successfully) is to send a Hello command. When TMG receives this request it sends to Microsoft Exchange Edge Transport to process it. Microsoft Exchange Edge Transport has a series of SMTP transport events that will trigger actions during the message processing. Some of those events will invoke SMTP Agents that are prepared to process a series of parameters, such as verify if the IP that sent the message is an IP allowed or not.
Note
For more information on Exchange Edge Transport Architecture and messaging process read the following article from TechNet Magazine https://technet.microsoft.com/en-us/magazine/2007.10.edge.aspx
In the case of this first connection the event OnConnect will be used and the Connection Filtering Agent will be processed. This filtering agent will look for parameters that were configured in the Forefront TMG Console, such as the ones showed in Figure 3:
.gif "Ee338733.e9207fff-e90a-41c9-9247-b09ec8dd75a2(en-us,TechNet.10).gif")
Figure 3 – Initial event processed.
Assuming that the connection satisfies all parameters that were specified, the next step for the connection to happen is to analyze the body of the message right after the connection is sent and we have reach the end of the data. At this point the OnEndOfData event is used and two filters are processed: Content filtering Agent and Attachment Filter Agent as shown in Figure 4.
.gif "Ee338733.59eef63c-c801-48fb-898f-c4e0ccfc5456(en-us,TechNet.10).gif")
Figure 4 – Processing two filtering agents.
If the connection satisfy all parameters that were used then the message will be securely sent to the internal Mail Server.
Note
For more information on how to configure Email Protection feature read the Forefront TMG documentation at https://go.microsoft.com/fwlink/?LinkId=159777.
Common Questions and Answers about Email Protection Feature
Question 1) Do I need to install Forefront Security Server for Exchange or just Exchange Edge Transport prior to install TMG?
Answer: You have to install both either before or after install TMG.
Question 2) For troubleshooting purpose we are going to rely completely on Exchange tools or are we going to have something on TMG logging side that can clearly say: message was transferred to Exchange (or FSS) component?
Answer: In TMG's logs you will be able to see that a connection was made from the Internet to Exchange and from Exchange to the internal network. We do not look at the content of the data transferred into Exchange and from Exchange.
Question 3) If I don’t install Exchange Edge Transport, does the regular TMG SMTP filter will still work?
Answer: Yes. The default SMTP Filter (which has the same capabilities from ISA Server 2006) will still work. TMG also introduces NIS SMTP Signatures that enable you to protect both Exchange Edge transport server and internal servers from 0-day attacks on your SMTP servers.
Question 4) Do I need a license for Exchange Edge Transport Role?
Answer: Yes.
Question 5) Can I protect any type of SMTP Server behind TMG or just Exchange?
Answer: The backend SMTP server can be any type of SMTP Server. Exchange Server is required only in the TMG itself using the Edge Transport role.
Question 6) Does TMG manages all configuration options of Exchange and FSE?
Answer: No. TMG manages a partial set of configuration options. All other options can be managed through the standard management consoles of Exchange and FSE. For greater supportability we’ve added the non-integrated mode (in the troubleshooting node) that allows the admin to manually configure Exchange and FSE settings without having TMG overwriting them ever few minutes. After you find out what the problem was you should enable the integration back again so that TMG will manage Exchange and FSE settings again.
Note
If you change a setting that is managed by TMG, TMG will overwrite the value you changed with the value set in TMG.
Question 7) How does TMG configure Exchange and FSE?
Answer: TMG uses the standard PowerShell interface to configure both Exchange and FSE.
Question 8) We plan to install Stirling Suite and have TMG connect to it. How does this affect me?
Answer: TMG enables Stirling suite to manage the email security policies through FSE. For that, all you need to do is to connect TMG to Stirling suite and enable FSE to be managed by Stirling. After you apply this into TMG policies, Stirling will control FSE’s protection policies and TMG will not enforce it’s configured email policy on FSE.
Question 9) Can we use both Edgesync and Stirling to manage our Email policies?
Answer: Absolutely. TMG enables you to have both integrations work seamlessly.
Question 10) What performance impact do we need to expect if we install Exchange Edge and FSE on TMG instead of installing them on another server?
Answer: As a general rule TMG imposes minimal performance hit on Exchange/FSE’s performance. However, if you install TMG with Email Policy and you deploy multiple scenarios with TMG – they all generate load on the CPU/Memory/Disk resources. You should plan carefully which scenarios you deploy and on which TMG servers. TMG Performance planning tool will be available for download in the future and will assist you with the relevant planning.
Question 11) What happens if I have an array deployed with Email Policy components and policy, and I add a new server without Exchange/FSE installed?
Answer: Asymmetric array is a problem we expected to happen. When the server joins the array the array configuration is applied on the new server and it will issue an alert that the email policy cannot be applied on the new server. If you use NLB, you may end up with connections not being served if they are directed to the new server. You should install Exchange and FSE and it will solve your problem.
Question 12) Which versions of Exchange do you support?
Answer: We support Exchange Edge 2007 SP2 and Exchange Edge 2010.
Question 13) Which OS versions do you support?
Answer: TMG can be installed on Windows 2008 (incl. SP1 and SP2) and Windows 2008 R2. Note – Exchange 2007 is not supported on Windows 2008 R2.
Question 14) My organization has Exchange 2007 deployed. Can I upgrade from Exchange 2007 to Exchange 2010 on TMG?
Answer: Yes, but you should consult with Exchange on how to upgrade from Exchange 2007 to Exchange 2010. TMG does not support mixed install base (e.g. an array with Exchange Edge 2007 and Exchange 2010 Edge installed on different array servers).
Question 15) What is the performance cost of TMG in the Email Protection scenario?
Answer: Actually, TMG has almost no impact on the performance. Initial tests showed that the admin can configure NIS to inspect SMTP protocol and still TMG’s performance cost is extremely small.
TMG B3 release limitations
Forefront Security for Exchange Release Candidate
TMG Beta 3 install DVD includes FSE beta2 install bits. You will not be able to upgrade to FSE Release Candidate version as there are a few breaking changes FSE introduced after TMG B3 was locked. You will be able to upgrade to FSE Release Candidate version with TMG RC.
Exchange Edge
After you install Forefront TMG and configure an e-mail policy, if you install the Exchange Server Edge Transport Role or Forefront Security for Exchange (FSE), the ISAManagedCtrl service fails. This does not occur if you install the Edge Transport Role or FSE before installing Forefront TMG. To install the Edge Transport Role or FSE after installing Forefront TMG and configuring an e-mail policy:
At a command prompt, type:
net stop isamanagedcrtl
After the service stops, install the Edge Transport Role and FSE.
At the command prompt, type:
Net start isamanagedctrl
Conclusion
E-Mail protection feature on Forefront TMG is a feature that can be used to mitigate SMTP threats by leveraging a solid SMTP foundation with Microsoft Exchange Edge Transport role with the addition of the powerful Antivirus solution provided by Forefront Security Server for Exchange.
This article provided you an explanation on how the Email Protection feature works and which products are involved on this solution.