Installing the Windows EBS Security Server

Applies To: Windows Essential Business Server

After you finish installing the Management Server, install Windows EBS on the Security Server.


You must successfully finish installing the Management Server before you begin to install the Security Server.


If you have a Group Policy object in your domain that forces Windows Firewall to be enabled on computers that join the domain (by using the Windows Firewall: Protect all network connections Group Policy setting), you must temporarily disable it to install the Security Server. During the installation of Windows EBS, Windows Firewall is turned off on the Security Server and is replaced by the network firewall in Forefront TMG. For more information about Windows Firewall Group Policy settings, see the Microsoft Web site at

Run the Security Server Installation Wizard

To configure the Security Server, the Installation Wizard uses settings that you chose while installing the Management Server.


Time to complete this task: approximately 1.5 hours. This time may vary depending on the state of your current network and how many updates or upgrades must be applied.

To install the Security Server

  1. Insert Windows EBS Installation Disk 3 into the Security Server, and boot from the DVD. The Windows Server 2008 Installation Wizard appears.

  2. Set your locale, and then click Next.

  3. Click Install Now.

  4. When prompted, we strongly recommend that you type your 25-character product key to help avoid problems during activation. Click Next.

  5. If you have an Internet connection, select the Automatically activate Windows when I'm online check box if you want to activate your software now. Click Next.

  6. Review the Microsoft Software License Terms. If you agree with them, select the I accept the license terms check box and then click Next.

  7. Select Custom (advanced) as your installation type.

  8. On the Where do you want to install Windows? page, click the partition where you want to install Windows EBS, and then click Next.


    A system partition of at least 50 GB is recommended. If you need to load a driver, click Load Driver. If you need to format or partition a disk, click Drive Options (advanced). It is recommended that you format and partition the disk before you install the Security Server. You have another opportunity to format volumes in the Windows EBS Installation Wizard.

  9. The Installation Wizard installs Windows Server 2008.


    Your computer restarts several times while Windows Server 2008 is being installed.

  10. The Security Server Installation Wizard appears. Read the introductory information on the Welcome page, and then click Next.

  11. On the Choose the internal network adapter page, select the network adapter that you use to connect this server to your network. Verify that the network adapter is connected to your internal network. Click Next.

  12. On the Choose temporary IP addresses page, either choose to use DHCP Server service to automatically assign the Security Server an IP address that is used during installation, or type a valid IP address that provides an Internet connection through your network

    Click Next.


    It is recommended that you use an existing DHCP server. If your existing domain does not have a DHCP server, use a static address.


    These IP address settings are used temporarily during installation to download critical updates from the Microsoft Updates Web site and to connect to the computers that already exist on your network. The settings will be reconfigured to your final settings later in the installation.

  13. The Installation Wizard connects to the Microsoft Update Web site and searches for critical updates for Windows EBS. If the wizard finds any updates, it installs them.

  14. Review the status of the critical updates installation on the Critical updates installed page, and then click Next.

  15. On the Choose the external network adapter page, in the list box, select the network adapter that you want to use for your external connection, and then click Next.


    This page does not appear if you have only two network adapters in your computer.

  16. On the Join the Active Directory domain page, type the Active Directory domain name that the Management Server is joined to. Type the credentials of an account that has Enterprise Administrator permissions on this domain, and then click Join domain. The server restarts to join the domain. When prompted, log on with the account that you used to join the domain. The Progress of joining the domain page helps you track the progress. When you are finished joining the Security Server to the domain, click Next.

  17. On the Check the environment page, the Installation Wizard automatically checks your environment to verify that it is compatible with Windows EBS. Read and follow the directions on the screen, and then click Check environment.

  18. On the Environment check is finished page, the Installation Wizard displays the status of the completed environment checks. When all of the checks are finished, click Next to continue.

  19. On the Set the internal IP address page, verify that the settings that you chose during the Management Server installation are filled in as the default settings, and then click Next.

    If the IP address that you specified is detected on the network, then the Choose firewall option page appears. Choose one of the following:

    • Replace your existing firewall device with the Security Server.

    • Retain your existing device and deploy the Security Server behind it. Click Next to continue.

  20. On the Set the external IP address page, choose whether to use an existing DHCP server or to manually configure the IP address settings. If you choose to manually enter the IP address settings, type a set of IP address settings that are valid for your network, and then click Next.

  21. On the Choose an Administrator password page, type a new password for the Directory Services Restore Mode. This password should be different from the passwords that you use to log on as a domain administrator and that you used to join the Active Directory domain. Confirm the password, and then click Next.

  22. On the Set the e-mail gateway page, configure the settings that allow external e-mail traffic through the Security Server until you have migrated mailboxes and other settings to the Messaging Server.

    The Installation Wizard automatically detects if Exchange Server is running in your environment and preconfigures some of the settings on this page. If Exchange Server is detected, the Installation Wizard selects I want to forward e-mail to this IP address and provides the current SMTP domains. Type the IP address of the Exchange Server in the text box, verify the SMTP domain settings, and then click Next.

    If Exchange Server is not running in your environment, select whether you want to forward e-mail. If you choose to forward e-mail, type the IP address of the e-mail server in the text box. Then, specify the SMTP settings. Type the SMTP domain name, and then click Add. If you add more than one domain, to specify the default SMTP domain, click the domain name, and then click Set default. When you are finished, click Next.


    You can forward e-mail only to an existing SMTP server that is accessible from the internal network adapter on the Security Server.


    You can add, remove, or reconfigure SMTP domain information after Windows EBS installation is finished. For more information, see the technical article on the Microsoft Web site (

  23. On the Remote access settings page, you can set up remote access to your network through services (such as Remote Web Workplace) and through e-mail services (such as Outlook® Web Access or Outlook Anywhere). Choose a URL that is easy to remember, such as Type the URL, and then click Next.

  24. On the Choose a volume for storing data page, you can choose to store applications data on a volume that is separate from your system volume. To do this, leave the radio button selected and choose the volume that you want to use for data. If you need to format a hard disk drive, create a partition, or perform other disk-management tasks, click Disk Management.

    If you want to store your system and application data on the same volume, click Store all system and application data on the system volume.

    Click Next.

  25. On the Select firewall option page, select the appropriate radio button to Replace or Retain your existing firewall, and then click Next.

  26. On the Integrate the Security Server page, follow the instructions to configure your existing network to route Internet traffic through the Security Server.


    If you do not have a gateway device (such as a router or a firewall) connecting your network to the Internet, this page is not displayed.


    If you choose to retain your existing gateway device and supplement it with the Security Server, complete the following steps (a through d). If you choose to replace your existing gateway device, remove the gateway device from the network and reconnect your Internet cable to the external network adapter of the Security Server. If your existing device has failover capabilities, make sure that you also decommission the secondary device at this time. Then continue with step 27 below. For steps a through d, pause your installation of Windows Essential Business Server. These steps position the Security Server as the default gateway for your local area network (LAN). When you finish the reconfiguration, your network connects to the Security Server as the Internet gateway (firewall). The Security Server connects to your existing (but reconfigured) firewall device to connect it to the Internet. The Installation Wizard prompts you to complete steps a through d.

    1. Change the internal IP address on your existing Internet gateway device to a new address. To do this, follow the instructions from the device manufacturer.

    2. Disconnect the cable that connects your existing gateway device to your network (leave it connected to the Internet).

    3. Connect the disconnected cable to the external network adapter on the Security Server. This connects the Security Server to the gateway device. You may need to use one or more hubs to make these connections.

    4. Connect the internal network adapter on the Security Server to the LAN. The Security Server is already configured with the IP address of your existing gateway device.

    When you are finished, click Next in the Installation Wizard.

  27. Review, and optionally save, your settings on the Review the Security Server installation page. You can change the settings that you made since you joined the Active Directory domain by clicking Previous to return to previous pages. When you finish reviewing the settings, click Install. The remainder of the installation can proceed unattended.

    The Installation Wizard installs Windows EBS on your Security Server and configures it with the settings that you select. The Progress of Security Server installation page displays progress bars that show you how the installation is proceeding. Depending on the settings that you chose, the server may restart several times.

    If you want to observe the progress, you can log on to the server by using your domain administrator credentials.

  28. When the Security Server is installed, the Security Server installation tasks finished page appears. Click Next.

  29. If you did not choose to automatically install optional updates, the Choose optional updates page appears. You can choose to install the most recent updates for all the server roles that you installed. If you prefer, you can finish the installation without downloading or installing the updates. Click Install updates to start the update process, or click Finish to finish installing without the updates.

  30. If you chose to install optional updates, the Installation Wizard connects to the Microsoft Updates Web site to search for and download updates for your server. The Progress of optional updates page displays progress as updates are installed. After the updates are installed, click Finishon the Installation and updates finished page.


    If there is a problem downloading or installing an update from Microsoft Update, you can successfully finish the installation of Windows EBS without applying the update. After you finish the installation of Windows EBS on the three servers, use the update-management tools in Windows EBS to apply updates.

  31. For either update option, the Continue installation page directs you to continue installation on the Messaging Server, as described in Installing the Windows EBS Messaging Server. Click Close, and then move to the Messaging Server to continue.


    If you do not see the Windows desktop after you close the Installation Wizard, you can restart the computer. Or, press CTRL+ALT+DEL, and then click Start Task Manager. In Task Manager, click File, and then click New Task (Run…). In the Open text box, type explorer.exe, and then click OK.

Security Server installation summary

Applications, roles, and services installed

During installation, applications, roles, and services are installed and partially or completely configured on the Security Server. For those roles that are partially configured, you complete the configuration after the installation is finished on all three servers. The following applications, roles, and services are installed:

  • Active Directory Lightweight Directory Services

  • Exchange Server Edge Transport

  • Exchange Intelligent Message Filter

  • Forefront TMG

  • Remote Web Workplace

  • Routing and Remote Access service

  • System Center Operations Manager agent

  • SQL Server Express (required for Forefront TMG logging)

  • Windows Server 2008

Network status

When installation is finished on the Security Server, the following has been accomplished:

  • The Security Server is assigned a name and a static IP address.

  • The Security Server is joined to the selected Active Directory domain.

  • Windows Firewall is turned off on the Security Server and is replaced by Forefront TMG.

  • The Security Server is established as the default gateway for your network.

  • The Security Server provides firewall and other security roles to the network.

  • If chosen as an option, your previous gateway device is reconfigured to be an additional firewall between the Security Server and the Internet. If you did not choose to retain your previous gateway device, it is decommissioned.

  • Default Forefront TMG publishing rules are configured.

  • E-mail is forwarded to the existing e-mail server, if specified.

  • Exchange Server Connector settings are configured.