Using Mail Protection with Exchange EdgeSync on Forefront TMG
Published: November 2009
Alex Zvansky - Program Manager, Microsoft Forefront Edge Team
Yuri Diogenes - Sr Security Support Escalation Engineer, Microsoft CSS Forefront Edge Team
Jim Harrison - Program Manager, FF Edge CS
Eran Shany - Sr Software Development Engineer
Meir Feinberg - Technical Writer
Forefront TMG enables you to protect your organization from spam, viruses and other e-mail-based threats. It does this by leveraging the mail protection provided by Microsoft Forefront Protection 2010 for Exchange Server and by utilizing the end-to-end mail relay service provided by the Exchange Edge Transport Server. In Forefront TMG we're introducing support for Exchange Edge Subscription - also called EdgeSync. This blog will walk you through the setup of Forefront TMG with E-Mail Protection and creating the Edge Subscription to your Exchange Organization.
First you need to make sure that the Forefront TMG Server has a Fully Qualified Domain Name (FQDN). This is required by the Exchange Edge Role:
If there is no primary domain suffix defined, define a suffix for your organization, apply settings and restart.
Install the Active Directory Lightweight Directory Service by running the following command from an elevated command prompt:
cmd.exe /c start /w pkgmgr.exe /iu:"DirectoryServices-ADAM"
Install Exchange 2007 SP1 or SP2; choose Custom Installation -> Edge Transport Server Role. It is recommended to restart the server after the Exchange installation is finished.
On the Forefront TMG DVD, open autorun.hta.
Install Microsoft Forefront Protection 2010 for Exchange Server
Run the Preparation Tool and then install Forefront TMG.
Go through the Getting Started wizard and Web Access wizard if needed.
Configuring E-Mail policy
Now we are ready to configure E-Mail policy on Forefront TMG.
Click on Configure Server to Server Mail Protection on the E-Mail Policy node. This will start the E-Mail policy wizard.
On the Internal Mail Server Configuration page you should specify all the Exchange hub servers that you want to forward incoming mail to. You also need to specify for which domains e-mail is accepted and forwarded to the hub servers.
For the Internal E-Mail Listener choose the Internal network. You can also specify which IP to listen on if multiple IPs are available.
For the External E-Mail Listener choose to listen on the External network. For example, specify mail.contoso.com as the FQDN that will be presented in HELO and EHLO commands.
Enable Anti-Spam, Virus and Content filtering.
When the wizard is finished, Forefront TMG proposes that you enable System policy rules to allow SMTP traffic in and out of the Forefront TMG server. Click Yes and then Apply the settings. Check Alerts for errors in applying the E-Mail policy.
Setting Up Edge Subscription
On the E-Mail Policy tab click on Enable Edge Subscription Service. You are asked to approve more System policy rules for EdgeSync traffic. Apply settings.
Now click on Generate Edge Subscription Files and save the files to a folder. If you do it for an array, a subscription file will be created for each array member.
On the Exchange hub server open the Exchange Management Console. Navigate to Organization Configuration -> Hub transport. Click on New Edge Subscription, choose the file generated by Forefront TMG and create the subscription. Repeat this for each array member.
Make sure that FQDNs for all Forefront TMG servers are resolvable via internal DNS.
Let's check that synchronization worked:
Open the Exchange Management Shell on the Forefront TMG machine and run the
Get-SendConnectorcommand. You should see at least two send connectors created.
If you don't see send connectors you can force synchronization by running
Start-EdgeSynchronizationon your hub server.
There is one more thing to do before we are ready to test mail delivery. We need to check that the authentication settings on the Receive Connectors are correct.
On the Exchange hub server, navigate to Server Configuration -> Hub Transport, right click on the Default Receive Connector and select Properties. On the Authentication tab, verify that TLS and Exchange Server authentication are selected.
On the Forefront TMG server, navigate to E-Mail Policy, right click on the Internal_Mail_Servers route and select Properties. On the Listener tab, click Authentication Settings and verify that only TLS and Exchange Server Authentication are selected.
Configuring Anti-Malware scanning and Content filtering
Now we can configure Antivirus scanning and other filtering settings. In this example I will enable a few antivirus engines and configure the blocking of EXE files.
On the Forefront TMG server, navigate to the Virus and Content Filtering tab and:
Enable the Antivirus and then click Select AV Engines on the Tasks Pane. Select one or more engines from the list.
Click on the Enabled link under File Filtering. On the File Filters tab, click Add and then on the General tab fill in Block executables as the Filter name. You can apply the filter to inbound and/or outbound messages.
On the File Types tab select Microsoft Windows Executable. Apply the settings and wait until Forefront TMG reloads the settings.
Testing mail flow and content filtering
It's time to test that our settings are working. But first we want to verify that E-Mail antivirus signatures were updated from the Internet. On the Forefront TMG server, navigate to the Update Center and select E-Mail Antivirus. The status should be green, with more details about each engine in the bottom pane.
I will use OWA on the internal network to send mail from the Exchange Organization to the External SMTP server. I also have the External client with Outlook configured with POP3 and SMTP to send mails back to the Internal Exchange.
First I send a test mail from OWA to a dummy external address *firstname.lastname@example.org*. I can retrieve the message from the External client.
Now I will try to reply to this e-mail with the notepad.exe executable file. As you can see, the executable file was blocked by the filter.
Now I will try to reply to the same mail with a zipped EICAR test virus attached (http://www.eicar.org). Same result, the file was filtered by the antivirus engine.
One last note about troubleshooting
In such a complex environment sometimes it's hard to troubleshoot problems. I want to give a few tips on how to troubleshoot mail flow through Forefront TMG E-Mail protection.
Use the Forefront TMG log. Build a query for SMTP traffic only and monitor SMTP connections live.
Use Exchange troubleshooting tools like Mail Flow Troubleshooter, Message Tracking and Queue Viewer via Exchange Management console both on Forefront TMG and on the Hub server.
When a message is stuck in the queue and you cannot figure out why, you can use SMTP protocol logging. Configure the Receive Connectors via the Exchange Management console on the Forefront TMG server. Forefront TMG will not override this setting. Configure the Send connectors via the Exchange Management console on the hub server and push via Synchronization.
In this example we will configure logging for Send Connectors:
Open the Exchange Management Console, navigate to Organization Configuration -> Hub Transport. On the Send Connectors tab, right click on Send Connector and click properties. Select Verbose as the Protocol logging level.
Repeat for all connectors.
Open the Exchange Management Shell and run the
The log can be found in the %ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtoSend and SmptRecive folders