Securing Exchange 2010 with Forefront Threat Management Gateway (TMG) 2010, Part 5 - Putting it all together

We finally have our consolidated Exchange Server Edge and TMG 2010 server installed, but what now? How do we take advantage of all the great new features? In this part of the series, I’ll configure our E-Mail Policy, create a new Edge Subscription and then configure Antivirus and File Filters

Firstly, we’ll configure our E-Mail Policy. If you open the TMG Management Console, select “E-Mail Policy” and then select “Configure E-Mail Policy” from the tasks pane.

image

On the “Welcome to the E-Mail Policy Wizard” screen, click “Next” to continue

image

On the “Internal Mail Server Configuration” screen, add all the Exchange hub servers that you want to forward incoming mail to. You also need to add your accepted domains. Then click “Next”

image

For the “Internal E-Mail Listener” choose the Internal network. You can also specify which IP to listen on if multiple IPs are available. Click “Next”

image

For the “External E-Mail Listener” choose to listen on the External network and specify the FQDN that will be presented in HELO and EHLO commands.

image

Enable spam filtering, virus and content filtering. You also have the option to enable EdgeSync Traffic, you should enable this here as it will create the relevant System Policy to allow port 50636 for communication with the Exchange hub transport server.

image

Click “Finish” to complete the e-mail policy wizard

image

TMG will prompt you to create a System Policy, click “Yes”

image

Once done, click “Apply” to apply the new E-Mail Policy

image

Next, we setup a new edge subscription, From the TMG Management console, navigate to “E-Mail Policy” and in the “Tasks” plane, click “Generate Edge Subscription Files”

image

Make a note of where you save this file. Once complete, copy the edge subscription file to your Hub Transport server.

image

Log on to your Hub Transport server and open the Exchange Management Console, then expand “Organization Configuration” and click on “Hub Transport”. Click “New Edge Subscription under the “Actions” menu.

image

Select the appropriate AD site and locate the edge subscription file copied from your TMG server. Click “New”

image

Once the wizard completes successfully, click “Finish”

image

Expand “Organization Configuration”, click on “Hub Transport” and select the “Edge Subscriptions” tab. You should now see your edge subscription listed there.

image

On your Hub Transport server, ensure that the “Microsoft Exchange EdgeSync” service is set to automatically start.

image

On the Hub Transport server, open the Exchange Management Shell and start edge synchronization by issuing the following cmdlet

Start-EdgeSynchronization

image

After a few minutes, you should be able to verify that your edge synchronization is working by opening the “Exchange Management Shell” and issuing the following cmdlet:

Get-SendConnector

image

Next, We need to verify the authentication settings on the Receive Connectors.

On the Hub Transport server, open the Exchange Management Console and expand to "Server Configuration", click on "Hub Transport", right click on the "Default Receive Connector" and select Properties. On the Authentication tab, verify that TLS and Exchange Server authentication are selected.

image

On the TMG server, open the TMG Management console and navigate to "E-Mail Policy", right click on the "Internal_Mail_Servers" route and select Properties. On the Listener tab, click "Authentication Settings" and verify that only TLS and Exchange Server Authentication are selected.

image

Lastly, we can configure Antivirus scanning and file filtering settings. In this example I will enable a 3 antivirus engines and configure file filtering to block .EXE files.

On the TMG server, open the TMG Management console, click “E-Mail Policy, then select the “Virus and Content Filtering” tab,

image

Click “Select AV Engines” on the Tasks Pane. Select one or more engines from the list. The click “OK”

image

Next, click the “Enabled” link below “File Filtering”. On the File Filters” tab, click “Add” and then on the General tab give it a meaningful name. You can apply the filter to inbound and/or outbound messages.

image

On the File Types tab select Microsoft Windows Executable. Click “Apply”

image

Confirm that the filter has been added and click “OK”

image

Once done, click “Apply” to apply the settings

image

To summarise, in this part of the series I configured my E-Mail Policy/ I then created and verified a new Edge Subscription. I finished off by configuring Antivirus and creating a File Filter to block .EXE files.

In the next and final part of this series, I’ll look at how to securely publish Outlook Web App.