Exchange Server 2010 Edge Server and Microsoft Threat Management Gateway

Introduction
When you have an Exchange Server 2010 environment you can use the Edge Transport Server, typically located in the Demilitarized Zone (DMZ) or perimeter network for hygiene purposes. By default the Edge Transport Server has the anti-spam functionality enabled, and when Forefront Protection for Exchange is installed the Edge Transport Server also performs the antivirus functionality. Email from the Internet is received by the Edge Transport Servers, spam messages and messages containing viruses are cleaned up and the results are sent to the Hub Transport Server, located in the internal network and domain. The Client Access Server give E-mail clients access to their mailbox and the Client Access Server is located on the internal network. Locating the Client Access Server is not supported. For more information regarding the CAS server and the DMZ visit the Exchange Team Site. You can use a Microsoft ISA Server 2006 in the DMZ, and the ISA Server publishes the Exchange Services like OWA, Outlook Anywhere or ActiveSync. It is not possible to combine the ISA Server and the Edge Transport Server on one server, let alone combine them with the Forefront Protection for Exchange.

Threat Management Gateway (TMG)

The Forefront Threat Management Gateway (TMG) 2010 is the successor of ISA Server 2006 and TMG contains a lot of new features that are interesting for Exchange administrators. One of the things is that you can install the Edge Server, TMG and Forefront Protection for Exchange on one (physical) server.

Edge to be on DMZ

Figure 1: The Edge Server, TMG and Forefront Protection for Exchange on one Server The advantage of this solution is of course that you will need only one server. This will save you an additional Windows license, but do not forget the cost of the server itself, the power and cooling that are needed. To install this combination of Edge Server, Forefront Protection for Exchange and Threat Management Gateway, follow this order: 1. 2. 3. 4. 5. Install Windows Server 2008 R2 Install Active Directory Lightweight Directory Services (LDS) Install Exchange 2010 Edge Transport Server Install Forefront Protection for Exchange Install Forefront Threat Management Gateway

Windows Server 2008 R2

The first step is to install Windows Server 2008 R2. This is an X64 server which of course is needed for Exchange Server 2010. But the TMG is also an X64 application, where the old ISA server was a 32-bit application. Install Windows Server 2008 R2, make sure that the server is connected to both the internal as well as the external network. After installation configure the network, the internal and the external name resolution have to be correct. Bring the server up to date with the latest hot fixes.

Install Active Directory Lightweight Directory Services

After installing Windows Server 2008 R2 the Active Directory Lightweight Directory Services (LDS) need to be installed. Logon to the server and open the Server Manager. Select Roles in the Navigation Pane and in the Results Pane select Add Roles. In the Select Roles wizard select the Active Directory Lightweight Directory Services. Add the required features (.NET Framework 3.5.1) as well. Finish the wizard and install the LDS.

Install Edge Transport Server

To install the prerequisite software for the Exchange Server 2010 Edge Transport Server open a command prompt and navigate to the \Scripts directory on the installation media. Enter the following command: ServerManagerCmd.exe InputPath Exchange-Edge.XML An error message pops up saying that the ServerManagerCmd is deprecated. Although true, do not pay too much attention to the error message at this point. When the prerequisite software is installed reboot the server as requested. Install the Edge Transport Server; this can be done using the graphical User Interface or the unattended setup program. The Management Tools will be automatically installed. After the installation of the Edge Server it is time to configure the EdgeSync Service. The EdgeSync Service is responsible for synchronizing information from the Hub Transport Server to the Edge Transport Server. To configure an Edge Synchronization logon to the Edge Transport Server, open an Exchange Management Shell and enter the following command: New-EdgeSubscription FileName C:\Edge-TMG.XML Copy the Edge-TMG.XML file to the internal Hub Transport Server and import it there. After importing the Edge Synchronization can be started. To achieve this logon to the Hub Transport Server, open an Exchange Management Shell and enter the following commands: $Temp = Get-Content -Path "C:\Edge-TMG.xml" -Encoding Byte -ReadCount 0 New-EdgeSubscription -FileData $Temp -Site "Default-First-Site" Start-EdgeSynchronization Make sure that after the Start-EdgeSynchronization command the results are successful. This is shown on the console:

Figure 2: The Edge Synchronization is successfully started. When you have successfully setup the Edge Synchronization it is a good time to test the SMTP functionality and see if you can send and receive messages from your Exchange Server 2010 mailbox to and from the Internet. If successful continue with the next steps.

Install Forefront Protection for Exchange (FPE)

When you start the graphical setup of Exchange Server 2010 you are presented with a splash screen. The last option, under Enhance, is Install Microsoft Forefront Protection 2010 for Exchange Server.

Figure 3: The setup application splash screen When you select this option you are redirected to the Microsoft website where you can download FPE. After downloading start the ForefrontExchangeSetup.exe application. Follow the setup wizard to install Forefront Protection for Exchange. In the Anti spam Configuration page select Enable anti-spam later. After installation, do not check the Launch the Forefront Online Protection for Exchange Gateway installation program. Click Finish to end the installation program. When you start the Forefront Administrator Console an Evaluation License Notice is shown. You can Activate Forefront immediately, but theres a 120 day trial period. In the Administrator Console you will see that the scanning engines are not updated immediately.

Figure 4: The Engines are not updated immediately After some time (15 minutes in my test environment) you will notice that the engines are updated and the yellow exclamation mark will change into the green checkmark.

Install Forefront Threat Management Gateway

ad vert i s emen t

The last and most interesting step is to install the Threat Management Gateway (TMG) into the recently installed Edge Transport Server. Navigate to the installation media and start the setup application. A splash screen is shown:

Figure 5: The TMG (standard edition) splash screen Select Run Preparation Tool in the splash screen to install the TMG prerequisite software. Follow the Forefront TMG Preparation Tool wizard. Select the Forefront TMG Services and Management option to install both the software and the management tools.

Figure 6: Select "Forefront TMG services and Management" to install the software and the management tools The prerequisite software will be automatically installed and when finished you have the option to start the Forefront TMG Installation wizard automatically.

Figure 7: Start the Forefront TMG installation wizard Click Finish and the installation wizard will be started automatically. Follow the wizard, accept the license agreement and enter your user name, company name and serial number. Continue the wizard until you get to the internal network option. In my test environment I have two networks. A public network thats connected to the Internet and a private, internal network. The Exchange Servers are connected to this network.

Figure 8: Select the internal (private) network Click Next to continue the setup wizard and install TMG on the server. The installation can take some time.

Figure 9: Approx. 19 minutes to install TMG on our Edge Server When the setup program is finished, click Finish. If you want you can check the Launch Forefront TMG Management when the wizard closes and the management console will be started automatically.

Figure 10 The TMG Server is now installed on top of the Edge Transport Server. Although the internal Hub Transport Server was working with the Edge Transport Server it now stopped working. This is because the TMG Server is a firewall as well and need to be configured to get all functionality. In the next article I will explain the various settings of the Edge Server, Forefront Protection for Exchange and Threat Management Gateway combination.

/////////////////////////////////////////////////////////////////////////////////////////////////

How to Install Exchange 2007 Edge Transport Server on Windows Server 2008 Exchange Server 2007 includes five roles Mailbox, Client Access, Hub Transport, Unified Messaging and Edge Transport Server Role. In this Step-by-Step Screencast, we will demonstrate the installation and configuration of the Edge Transport Server Role. The primary responsibility of the Edge Server is to function as an SMTP gateway and protect your messaging system from viruses and spam. It is important to point out that: - The Edge server checks only SMTP traffic all inbound and outbound e-mails for your organization should be flowing through it.

- You cannot use the Edge server for OWA (Outlook Web Access), Outlook Anywhere, POP3, IMAP access. - You cannot install any other Exchange Role on and Edge Transport Server as you can see in the video, once you check the Edge server role box, all other roles are grayed out. - The Edge server should be installed in DMZ as a workgroup machine it is not a member of your internal Active Directory domain. - The MX record for your domain(s) should be pointing to Edge Servers public IP all inbound traffic should be flowing through it. - The Edge server uses AD LDS (Active Directory Lightweight Directory Services) when installed on Windows Server 2008, or ADAM (Active Directory Application Mode) when installed on Windows Server 2003. In the following Step-by-Step video tutorial, you will see the installation and initial synchronization of Edge Transport server on Windows 2008 OS, in a DMZ.

Stay tuned on NetoMeter subscribe to NetoMeter RSS.

http://www.techrepublic.com/article/configure-it-design-the-best-security-topology-for-yourfirewall/1039779

4) http://docs.oracle.com/cd/B14099_19/core.1012/b13999/rectop.htm

5) http://searchsecurity.techtarget.com/tip/Choosing-the-right-firewall-topology-Bastion-host-screenedsubnet-or-dual-firewalls

6) http://araihan.wordpress.com/2010/05/28/exchange-2010-deployment-in-different-firewallscenario/

Microsoft Exchange 2010 is the latest release of Microsoft messaging technology family. Microsoft Exchange Server 2010 brings a new and improved technologies, features, and services to the messaging technology product line. Exchange 2010 is role based deployment as Exchange Hub Transport, Exchange Client Access Server, Exchange Unified Messaging, Exchange Edge Transport and Exchange Mailbox. Each of these roles are significant when you planning to upgrade or new deployment. Careful selection and placement of servers in different part of corporate infrastructure is highly crucial. You have plan ahead to deploy exchange farms. Exchange 2010 brings HA, new transport and routing, Exchange Anywhere, protection and greater compliance with corporate networks. Exchange can be deployed under so many firewall and security topology. It is highly important that you consider great deal of time to design and deploy firewall and security for Exchange. In this article, I am going to describe several firewall scenario of exchange deployment. I reckon, you might be bombarded with spam without this a wonder device i.e. Cisco IronPort. So I put greater emphasis on Cisco IronPort C series and M series firewall and Anti-spam devices on each of my diagram. Cisco IronPort is a proven technology to manage and counter act against Anti-spam, content filter and Antivirus. Edge Firewall: This scenario allows users to access OWA from extranet to intranet. However, OWA is placed in internet network. The communication from the extranet is encrypted and the communication in the intranet is not encrypted. The firewall technology used is based on Microsoft ISA Server 2006 or Forefront TMG 2010 and the Microsoft Exchange OWA, Anywhere are published to the extranet by using the web site publishing feature of Microsoft ISA Server 2006 or TMG. The authentication of the extranet users used is Windows Authentication. This type of deployment uses two NICs of TMG server. One designated to external and another one designated for internal. A small business can deploy this type of firewall for exchange. This is not a recommended deployment big organisation.

Back to Back Firewall: This configuration requires two ISA Server 2006 or Forefront TMG 2010 installations on two separate servers with two distinct network adapters each that are configured to communicate with the Internet, the Perimeter network and the Internal network. When configuring ISA Server 2006 or TMG , the range of IP addresses used by the Internet, perimeter and internal networks have to be specified as well as the Firewall Policy rules that govern the communication rules between each network. This is done in two steps that target the front firewall and then the back firewall.

Important! A front-end server is a specially configured server running either Exchange Server2003 or Exchange 2000 Server software. A back-end server is a server with a standard configuration. There is no configuration option to designate a server as a back-end server. The term "back-end server" refers to all servers in an organization that are not front-end servers after a front-end server is introduced into the organization. 3-Leg Perimeter or DMZ firewall: This configuration requires ISA Server 2006 or Forefront TMG 2010 installation on a server(s) with three distinct network adapters that are configured to communicate with the Internet, the Perimeter network and the Internal network. When configuring ISA Server 2006 or TMG , the range of IP addresses used by the Internet, perimeter and internal networks have to be specified as well as the Firewall Policy rules that govern the communication rules between each network.

3-Leg Perimeter or DMZ firewall with a Domain Controller in Perimeter: This is similar scenario as mentioned above. However, a DC with GC role placed in DMZ. An external trust created between external DC and internal DC. Specific ports are open in firewall to communicate between two domains. In this deployment, internal domain(s) arent exposed to perimeter. Users can access OWA, ActiveSync and Outlook Anywhere from extranet securely.

Conclusion: DMZ is the recommended topology for the following reasons:

It provides security by isolating intruders from the rest of the network. It provides application protocol filtering. It performs additional verification on requests before it proxies them to the internal network.

Further Help:

lacing a firewall in a corporate network puts you in commanding position to protect your organisations interest from intruder. Firewall also helps you to publish contents or share infrastructure or share data securely with eternal entity such as roaming client, business partners and suppliers. Simply, you can share internal contents without compromise security. For example, publishing Exchange Client Access Server, OCS 2007 and SharePoint front-end server in the perimeter. More elaborately, the front-end and the back-end topology is commonly seen in multi-tier applications where the user interacts with a front-end server (Example: CAS server) and that server interacts with a back-end Server (Example: HT server). In this exchange deployment scenario, users interact with a front-end CAS Web server placed in DMZ or perimeter to get Outlook Web Access for reading and sending email. That Web server must interact with the back-end mail server or HT server, but Internet users do not need to interact directly with the back-End HT server. The front-end and back-end server(s) does all these for you providing maximum security. visit Exchange 2010 deployment in different firewall scenario In this article, I am going to illustrate Back-to-Back Firewall with DMZ. This topology adds content publishing to the back-to-back perimeter topology. By adding content publishing, sites and content that are developed inside the corporate network can be published to the server farm that is located in the perimeter network.The following illustration shows the back-to-back perimeter topology with content publishing.

Advantages

1. Isolates customer-facing and partner-facing content to a separate perimeter network. 2. Content publishing can be automated. 3. If content in the perimeter network is compromised or corrupted as a result of Internet access, the integrity
of the content in the corporate network is retained. Disadvantages

1. Requires more hardware to maintain two separate farms. 2. Data overhead is greater. Content is maintained and coordinated in two different farms and networks. 3. Changes to content in the perimeter network are not reflected in the corporate network. Consequently,
content publishing to the perimeter domain is not a workable choice for extranet sites that are collaborative. Assumptions:

1. Internal IP range: 10.10.10.0/24 2. Perimeter IP Range: 192.168.100.0/24 3. Public IP:203.17.x.x/24

Dell Exchange Web Advisor HP Sizer for Microsoft Exchange Server 2010 Forefront TMG 2010: How to install and configure Forefront TMG 2010 -Step by step
////

6)

Exchange Server 2007 includes five roles Mailbox, Client Access, Hub Transport, Unified Messaging and Edge Transport Server Role. In this Step-by-Step Screencast, we will demonstrate the installation and configuration of the Edge Transport Server Role. The primary responsibility of the Edge Server is to function as an SMTP gateway and protect your messaging system from viruses and spam. It is important to point out that: - The Edge server checks only SMTP traffic all inbound and outbound e-mails for your organization should be flowing through it. - You cannot use the Edge server for OWA (Outlook Web Access), Outlook Anywhere, POP3, IMAP access. - You cannot install any other Exchange Role on and Edge Transport Server as you can see in the video, once you check the Edge server role box, all other roles are grayed out. - The Edge server should be installed in DMZ as a workgroup machine it is not a member of

your internal Active Directory domain. - The MX record for your domain(s) should be pointing to Edge Servers public IP all inbound traffic should be flowing through it. - The Edge server uses AD LDS (Active Directory Lightweight Directory Services) when installed on Windows Server 2008, or ADAM (Active Directory Application Mode) when installed on Windows Server 2003.
///http://www.petri.co.il/implement-edge-transport-server.htm

With that in mind, here is the order in which the various filters are applied: 1. 2. 3. 4. 5. 6. The IP block and allow list is processed The IP Block List Providers and IP Allow List Providers are processed The sender filtering agent checks the blocked senders list The Sender ID agent performs a SPF record query The Recipient Filtering Agent checks the blocked senders list The Content Filtering Agent checks the messages contents. Safe list aggregation is also applied at this point in the process to help to reduce false positives. 7. The edge transport server filters out prohibited attachment types 8. Finally, the message is either handed off to a hub transport server, rejected, or deleted, depending on the rules that are in place. Summary Unfortunately, there is no way that I can possibly discuss all of the issues associated with configuring an edge transport server within the confines of an article. For that, I would have to write a book. Instead, my goal has been to help you to understand the filtering process, and to help you think about the safest ways of initially enabling edge filtering.
http://www.petri.co.il/introduction_to_exchange_2007_server_roles.htm

////

Exchange Server 2010 Backup and Recovery Training - Course Outline

Lesson 1 - Getting Started with Exchange 2010 Backup and Recovery Lesson 2 - The Course Scenario Lesson 3 - Lab Setup Lesson 4 - An Overview of Disaster Recovery Lesson 5 - Storage Architecture and Backup/Recovery Basics Lesson 6 - Windows Server Backup Lesson 7 - Item and Mailbox Recovery with Windows Server Backup

Lesson 8 - Dial Tone Recovery with Windows Server Backup Lesson 9 - Data Protection Manager Setup Lesson 10 - Working with Data Protection Manager Lesson 11 - Third Party Solutions: CommVault Simpana Lesson 12 - Third Party Solutions: Asigra Cloud Backup Lesson 13 - Third Party Solutions: Actifio Lesson 14 - Replacing Backup/Recovery with High Availability Lesson 15 - Exchange Recovery Best Practices Lesson 16 - Next Steps

/// http://www.petri.co.il/edge-transport-server-security-part-1.htm

///

How to Install Exchange 2007 Edge Transport Server on Windows Server 2008 Exchange Server 2007 includes five roles Mailbox, Client Access, Hub Transport, Unified Messaging and Edge Transport Server Role. In this Step-by-Step Screencast, we will demonstrate the installation and configuration of the Edge Transport Server Role. The primary responsibility of the Edge Server is to function as an SMTP gateway and protect your messaging system from viruses and spam. It is important to point out that: - The Edge server checks only SMTP traffic all inbound and outbound e-mails for your organization should be flowing through it. - You cannot use the Edge server for OWA (Outlook Web Access), Outlook Anywhere, POP3, IMAP access. - You cannot install any other Exchange Role on and Edge Transport Server as you can see in the video, once you check the Edge server role box, all other roles are grayed out. - The Edge server should be installed in DMZ as a workgroup machine it is not a member of your internal Active Directory domain. - The MX record for your domain(s) should be pointing to Edge Servers public IP all inbound traffic should be flowing through it. - The Edge server uses AD LDS (Active Directory Lightweight Directory Services) when installed on Windows Server 2008, or ADAM (Active Directory Application Mode) when installed on Windows Server 2003. In the following Step-by-Step video tutorial, you will see the installation and initial synchronization of Edge Transport server on Windows 2008 OS, in a DMZ.

http://www.techrepublic.com/article/5-exchange-server-security-tips/6112946