deploying microsoft forefront protection 2010 for exchange ... · installing forefront protection...

Contents

Acknowledgments v

Introduction vii

CHAPTER1

PlanningForefrontProtectionforExchangeServer1

UnderstandingForefrontProtectionforExchangeServer 1

Architecture 4

SoftwareandHardwareRequirements 7

PerformanceConsiderations 8

EdgeTransportRoleConsiderations 9

HubTransportRoleConsiderations 11

MailboxRoleConsiderations 11

Administrator’sPunchList 12

Chapter2

InstallingandConfiguringForefrontProtectionforExchangeServer 13

InstallingForefrontProtectionforExchangeServer13

OpeningtheConsole 20

ConfiguringForefrontProtectionforExchangeServer 21

Anti-Malware 21

Anti-Spam 32

Filters38

OnlineProtection 51

GlobalSettings 52

Administrator’sPunchList 58

Chapter3

ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection59

UnderstandingtheForefrontTMGEmailProtectionFeature59

SoftwareandHardwareRequirements 63

InstallingandConfiguringEmailProtection 64

InstallingExchange2010EdgeTransportRole 65

InstallingForefrontProtectionforExchangeServer69

EmailProtectionConfiguration 70

Administrator’sPunchList 77

AbouttheAuthors 79

PUBLISHEDBYMicrosoftPressADivisionofMicrosoftCorporationOneMicrosoftWayRedmond,Washington98052-6399

Copyright©2010byYuriDiogenesandDr.ThomasW.Shinder

Allrightsreserved.Nopartofthecontentsofthisbookmaybereproducedortransmittedinanyformorbyanymeanswithoutthewrittenpermissionofthepublisher.

LibraryofCongressControlNumber:2010935905

PrintedandboundintheUnitedStatesofAmerica.

MicrosoftPressbooksareavailablethroughbooksellersanddistributorsworldwide.Forfurtherinformationaboutinternationaleditions,contactyourlocalMicrosoftCorporationofficeorcontactMicrosoftPressInternationaldirectlyatfax(425)936-7329.VisitourWebsiteatwww.microsoft.com/mspress.Sendcommentstomspinput@microsoft.com.

Microsoftandthetrademarkslistedathttp://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspxaretrademarksoftheMicrosoftgroupofcompanies.Allothermarksarepropertyoftheirrespectiveowners.

Theexamplecompanies,organizations,products,domainnames,emailaddresses,logos,people,places,andeventsdepictedhereinarefictitious.Noassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,place,oreventisintendedorshouldbeinferred.

Thisbookexpressestheauthor’sviewsandopinions.Theinformationcontainedinthisbookisprovidedwithoutanyexpress,statutory,orimpliedwarranties.Neithertheauthors,MicrosoftCorporation,noritsresellers,ordistributorswillbeheldliableforanydamagescausedorallegedtobecausedeitherdirectlyorindirectlybythisbook.

Acquisitions Editor: Devon MusgraveDevelopmental Editor: Karen SzallProject Editor: Karen SzallEditorial Production: nSight, Inc.Technical Reviewer: Mitch Tulloch; Technical Review services provided by Content Master, a member of CM Group, Ltd.Cover: Tom Draper Design

BodyPartNo.X17-15051

iii

Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:

www.microsoft.com/learning/booksurvey/

What do you think of this book? We want to hear from you!

Contents

Introduction vii

Chapter 1 Planning Forefront Protection for Exchange Server 1UnderstandingForefrontProtectionforExchangeServer. . . . . . . . . . . . . . 1

Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

SoftwareandHardwareRequirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

PerformanceConsiderations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

EdgeTransportRoleConsiderations 9

HubTransportRoleConsiderations 11

MailboxRoleConsiderations 11

Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Chapter 2 Installing and Configuring Forefront Protection for Exchange Server 13InstallingForefrontProtectionforExchangeServer................... 13

OpeningtheConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

ConfiguringForefrontProtectionforExchangeServer. . . . . . . . . . . . . . . . 21

Anti-Malware 21

Anti-Spam 32

Filters 38

OnlineProtection 51

GlobalSettings 52

Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

iv Contents

Chapter 3 Protecting your Mail System on the Edge with Forefront TMG Email Protection 59UnderstandingtheForefrontTMGEmailProtectionFeature. . . . . . . . . . 59

SoftwareandHardwareRequirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

InstallingandConfiguringEmailProtection . . . . . . . . . . . . . . . . . . . . . . . . .64

InstallingExchange2010EdgeTransportRole 65

InstallingForefrontProtectionforExchangeServer 69

EmailProtectionConfiguration 70

Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:

www.microsoft.com/learning/booksurvey/

What do you think of this book? We want to hear from you!

v

Acknowledgments

ThisMicrosoftForefrontprojecttookalmostayeartowriteandresultedinthreeseparatebooksaboutdeployingForefrontproducts.Althoughthe

authorsgetlotsofcredit,therecanbelittledoubtthatwecouldnothaveevenbegun,muchlesscompleted,thisbookwithoutthecooperation(nottomentionthepermission)ofanincrediblylargenumberofpeople.

It’sherethatwe’dliketotakeafewmomentstoexpressourgratitudetothefolkswhomadeitallpossible.

With thanks…TothefolksatMicrosoftPress,whomadetheprocessassmoothastheypossiblycould:KarenSzall,DevonMusgrave,andtheircrew.

TotheForefrontProtectionforExchangeCSSTeamwhohelpedussomuchinshapingthisbook;withspecialthanksto:RyanMcGrath,AlexandreHollanda,DanTakata,CraigWiand,andNeilCarpenter.Yourrichcontributionsarehighlyappreciated.

From YuriFirstandforemosttoGod,forblessingmylife,leadingmyway,andgivingmethestrengthtotakeonthechallengesasjustanotherstepinlife.Tomyeternalsupporterinallmomentsofmylife:mywifeAlexsandra.Tomydaughterswho,althoughveryyoung,understandwhenIclosetheofficedoorandsay,“I’mreallybusy.”Thanksforunderstanding.Iloveyou,YanneandYsis.

TomyfriendThomasShinder,whomIwasfortunateenoughtomeetthreeyearsago.Thanksforshapingmywritingskillsandalsocontributingtomypersonalgrowthwithyourthoughts,advice,andguidance.Withoutadoubt,theselongmonthsworkingonthisprojectwereworthit,becauseofouramazingpartnership.Ican’tforgettothankthetwootherfriendswhowrotetheMicrosoft Forefront Threat Management Gateway Administrator’s Companionwithme:JimHarrisonandMohitSaxena.Theywere,withoutadoubt,thepillarsofthiswritingcareerinwhichI’mnowfullyengaged.Thanks,guys.Ialsowanttothank,asJimsays,“daBoyz”:Tim“Thor”Mullen,SteveMoffat,andGregMulholland.Youguysareamazing.Thanksforsharingallthetales.

ToallthefolksfromCSSSecuritywhosupportForefrontProtectionforEx-changeonadailybasis,especiallyAndrewDavis,JessHuber,JohnMoracho,and

vi

BobPayton.Youguysrock!Also,tomyfriendsfromtheExchangeTeamfortheiroutstandingpartnership,especiallyVandyRodrigues,TimHeeney,CharleneWe-ber,WillDuff,AustinMcCollum,JulioVieira,andMohammadNadeem.

From TomAsYuridoes,IacknowledgetheblessingsfromGod,whotook“afoollikeme”andguidedmeonapaththatIneverwouldhavechosenonmyown.ThesecondmostimportantacknowledgementImustmakeistomybeautifulwife,DebShin-der,whomIconsidermyhandofGod.Withouther,Idon’tknowwhereIwouldbetoday,exceptthatIknowthattheplacewouldn’tbeanywherenearasgoodastheplaceIamnow.

IalsowanttoacknowledgemygoodfriendYuriDiogenes,myco-writeronthisproject.Yurireallyheldthisprojecttogether.IhadjuststartedworkingforMicrosoftandwaslearningabouttheinsandoutsoftheMicrosoftsystem,andIwasalsotakingonalotofdetailedandcomplexprojectsalongsidethewritingofthisbook.Yurihelpedkeepmefocused,spentalotoftimepointingmeintherightdirection,andessentiallyisresponsibleforenablingmetogetdonewhatIneededtogetdone.Ihavenodoubtthat,withoutYuriguidingthiseffort,itprob-ablyneverwouldhavebeencompleted.

PropsgoouttoJimHarrison,“theKingofTMG,”aswellastoGregMulholland,SteveMoffat,andTimMullen.Youguyswerethemoralauthoritythatdroveustocompletion.IalsowanttothankMikeChanforgivingmetheopportunitytoworkasaTechnicalAccountManager(TAM)fortheBusinessProductivityOnlineSuite(BPOS)priortomyworkingforMicrosoft.

vii

IntroductionWhenwebeganthisproject,ourintentwastocreateareal-worldscenario

thatwouldguideITprofessionalsinusingMicrosoftbestpracticestode-ployMicrosoftForefrontProtectionforExchangeServer(FPE)2010.Wehopeyoufindthatwehaveachievedthatgoal.We’vealsoincludedathoroughexplanationofthearchitecturalsideoftheproduct,whichweconsideranadvantageforyou,becausetheexplanationofthetechnicaldetailswasreviewedbyengineerswhoworkdirectlyontheFPEteamatMicrosoftCustomerServiceandSupport(CSS).

Thisbookprovidesadministrativeprocedures,testeddesignexamples,quickanswers,andtips.Inaddition,itcoverssomeofthemostcommondeploymentscenariosanddescribeswaystotakefulladvantageoftheproduct’scapabilities.Itcoverspre-deploymenttasks,softwareandhardwarerequirements,performanceconsiderations,andinstallationandconfiguration,usingbestpracticerecommen-dations.

Who Is This Book For?Deploying Microsoft Forefront Protection for Exchange Server2010 coversFPEinanExchangeServer2010environment.Thisbookisdesignedfor:

■ AdministratorswhoaredeployingFPE

■ AdministratorswhoareexperiencedwithWindowsServer2008andExchangeServer2010

■ CurrentForefrontSecurityforExchangeadministrators

■ AdministratorswhoarenewtoFPE

■ Technologyspecialists,suchasmessagingadministratorsandsecurityadministrators

Becausethisbookislimitedinsizeandwewanttoprovideyouwiththemaximumvalue,weassumeabasicknowledgeofWindowsServer2008,ActiveDirectory,andExchangeServer.Thesetechnologiesarenotdiscussedindetail,butthisbookcontainsmaterialonallofthesetopicsastheyrelatetoForefrontProtectionforExchange’sadministrativetasks.

viii

How Is This Book Organized?Deploying Microsoft Forefront Protection for Exchange Server2010 iswrittentobeadeploymentguideandtoserveasasourceofarchitecturalinformationrelatedtotheproduct.Thebookisorganizedinsuchawaythatyoucanfollowthestepstoplananddeploytheproduct.ThestepsarebasedonadeploymentscenarioforthecompanyContoso.Asyougothroughthesteps,youwillalsonoticetipsforbestpracticesimplementation.Attheendofeachchapter,youwillseean“Administrator’sPunchList,”inwhichyouwillfindasummaryofthemainadmin-istrativetasksthatwerecoveredthroughoutthechapter.Thisisaquickchecklisttohelpyoureviewthemaindeploymenttasks.

Thebookisorganizedintothreechapterstocoverthreedeploymenttopics:planning,installationandconfiguration,andusingtheMicrosoftForefrontThreatManagementGateway(TMG)foremailprotection.

WereallyhopeyoufindtheDeploying Microsoft Forefront Protection for Exchange Server2010 usefulandaccurate.Wehaveanopendoorpolicyforemailat mspress.fpebook@tacteam.net,andyoucancontactusthroughourpersonalblogsandTwitteraccounts:

■ http://blogs.technet.com/yuridiogenesandhttp://blogs.technet.com/tomshinder

■ http://twitter.com/yuridiogenesandhttp://twitter.com/tshinder

Support for This BookEveryefforthasbeenmadetoensuretheaccuracyofthisbook.Ascorrectionsorchangesarecollected,theywillbeaddedtotheO’ReillyMediawebsite.TofindMicrosoftPressbookandmediacorrections:

1. Gotohttp://microsoftpress.oreilly.com.

2. IntheSearchbox,typetheISBNforthebook,andclick Search.

3. Selectthebookfromthesearchresults,whichwilltakeyoutothebook’scatalogpage.

4. Onthebook’scatalogpage,underthepictureofthebookcover,clickView/SubmitErrata.

Ifyouhavequestionsregardingthebookorthecompanioncontentthatarenotansweredbyvisitingthebook’scatalogpage,pleasesendthemtoMicrosoftPressbysendinganemailmessagetomspinput@microsoft.com.

ix

We Want to Hear from YouWewelcomeyourfeedbackaboutthisbook.Pleaseshareyourcommentsandideasthroughthefollowingshortsurvey:

http://www.microsoft.com/learning/booksurvey

YourparticipationhelpsMicrosoftPresscreatebooksthatbettermeetyourneedsandyourstandards.

NOTE  We hope that you will give us detailed feedback in our survey. If you have questions about our publishing program, upcoming titles, or Microsoft Press in general, we encourage you to interact with us using Twitter at  http://twitter.com/MicrosoftPress. For support issues, use only the email  address shown earlier.

59

C H A P T E R 3

Protecting your Mail System on the Edge with Forefront TMG Email Protection■ UnderstandingtheForefrontTMGEmailProtectionFeature 59

■ SoftwareandHardwareRequirements 63

■ InstallingandConfiguringEmailProtection 64

Whilemaintainingasecuremessaginginfrastructurewithinyournetworkisim-portant,havingacentralrepositoryfortheconfigurationforyourEdgerolealso

hasvalue.WithMicrosoftForefrontThreatManagementGateway(TMG)2010,anewconceptofemailprotectionwasintroducedthatcombinesthethreemainproductsthatcanhelpprotectthenetworkandthemessaginginfrastructureinasinglemanagementconsole.InthischapteryouwilllearnhowtheemailprotectionfeatureworksandhowtoconfigureitonForefrontTMG.

NOTE  You can find detailed information about Forefront TMG in MicrosoftForefrontThreatManagementGateway(TMG)Administrator’sCompanion (Microsoft Press, 2010).

Understanding the Forefront TMG Email Protection Feature

ForefrontTMGcomeswithanewfeaturecalledemailprotection.ThisfeatureallowstheintegrationofthreemajorcomponentsofMicrosoft’sprotectionandmessagingsolu-tion,whichare:theEdgeTransportroleofMicrosoftExchange2010,MicrosoftForefrontProtectionforExchangeServer(FPE),andForefrontTMG.Figure3-1showsthemaincomponentsofthissolution.

60 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection

FIGURE 3-1

TheTMGFilterdriver(FWENG)isthefirstcomponenttoreceiveemailtraffic(inabot-tomtotopapproach).FWENGrunsinkernelmode,anditperformstheinitialinspectionofapacket.Oncethisinspectionisdone,andassumingthatthetrafficisallowed,thepacketisidentifiedasbelongingtotheEmailProtectioncomponentbecauseitisanemail.Atthispoint,theExchangeEdgecomponentstakeoverandprocesstherequestviatheExchangeEdgeReceiveConnector.

AseriesofinspectionsaredoneontheExchangeside,accordingtothesystemconfigura-tion,andthenthetrafficishandedovertotheFPEcomponent.Thiscomponentdetermineswhetherornotthemessageisspam,anditscansthemessageusingothertests.Assumingthattheinspectioncompletessuccessfullyandthetrafficisallowed,theSendconnectoroftheExchangeEdgeTransportroleisusedtosendthemessagethroughtheTMGFilterdriveragain,forthefinaloutboundinspection,beforeitgoestothedestination.Table3-1showsthecorecomponentsoftheprotectionandindicatestheproductorproductsthathandleeachcomponent.

TABLE 3-1 Componentbreakdown

FEATURES EXCHANGE EDGE ROLEFOREFRONT PROTECTION FOR EXCHANGE

IPAllow/BlockLists X X

IPAllow/BlockListProviders X(Custom) X(DNSBlockListorDNSBL)

Sender/RecipientFiltering,SenderID X X

SenderReputation X

BasicContentFiltering(SmartScreen) X

PremiumAnti-spam(Cloudmark) X

UnderstandingtheForefrontTMGEmailProtectionFeature CHAPTER3 61

FileFiltering X

MessageBodyFiltering X

AntivirusandAntispyware X

AfterinstallingForefrontTMG,anewservicecalledMicrosoftForefrontTMGManagedControlServicesiscreated.Thisserviceisresponsibleforhandlingthemanagedcodepor-tionofTMG,whichisusedforExchangeconfigurationandothermanagedcode.ThisservicemonitorsthestateoftheconfigurationtomakesurethatwhatisconfiguredontheTMGinterfaceandwhatispresentonExchangeEdgeandFPEareinsync.

TMGwillpolltheExchangeconfigurationperiodicallyandcompareittoitsownconfigura-tion.Ifthereisamismatch,TMGwillreconfigureExchangetomatchitsownconfiguration.TMGchecksonlythoseExchangeconfigurationelementsofwhichitisaware;itignoresset-tingsthatarenotsetupthroughtheTMGconsole.Ifaconfigurationcan’tbeset,TMGalertstheadministrator.InthecaseoftheEdgeSubscription,thepollingtakesintoaccountthefactthatonlypartoftheconfigurationiscontrolledbyForefrontTMG,andthepartnotcontrolledbyForefrontTMGwillnotbepolled.

Insummary,thedefaultbehavioroftheForefrontTMGisasfollows:

■ ChangesofemailpolicyaredoneonlythroughtheForefrontTMGconsole.

■ TheTMGManagedControlServicewillidentifythosechangesandreplicatethemwiththeothercomponents(ExchangeEdgeandForefrontProtectionforExchange).

■ IftheadministratormakeschangesdirectlyonExchangeEdgethroughtheExchangemanagementconsole,thosechangeswillbeoverwrittenbythesettingsontheForefrontTMGConsole.

■ AnalertwillappearonForefrontTMG,warningthattheemailpolicychangedandthattheconfigurationwillbereapplied.

NOTE  When Exchange 2010 SP1 was released, some cmdlets were removed, causing TMG Managed Control Service to fail to start. For more information on this behavior, see http://blogs.technet.com/b/isablog/archive/2010/09/01/problems-when-installing-exchange-2010-service-pack-1-on-a-tmg-configured-for-mail-protection.aspx.

■ ChangesthatareprocessedthroughExchangePowerShellcmdletcancausetheTMGManagedControlServicetofailtostart,withtheerror0x80070057.TheworkaroundforthisistoundothosechangesusingWindowsPowerShellcmdlet.

NOTE  It is expected that this behavior will be changed on Forefront TMG SP1 Update 1. With Update 1, the changes made via Exchange Edge console or Windows PowerShell will be merged and the TMG Managed Control service shouldn’t fail in such circumstances.

62 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection

EachofthethreeproductsthatcomprisetheemailprotectionsolutiononForefrontTMGrequiresitsownlicense.Inotherwords,youwillneedalicenseforExchangeEdgeandalicenseforForefrontProtectionforExchange,inadditiontothelicensethatyoushouldalreadyhaveforForefrontTMG.Thesolutionisvendor-independentinthesensethatitcanprotectanySMTPserverthatisbehindTMG.Youcanhaveanon-Microsoftmessagingsolu-tionintheinternalorganizationandusetheForefrontTMGemailprotectionfeatureontheEdgetoprotectthemessagingenvironment.TheonlyfeaturethatwillnotworkinthiscaseistheExchangeEdgeSubscriptionbecauseitrequiresExchangeonthebackendtowork.Figure3-2showsanetworkthathastwoemailsolutionsandisusingEmailProtectionontheEdgetofilterthetraffic.

FIGURE 3-2

NOTE  The most common questions and answers about this solution can be found in “Understanding E-Mail Protection on Forefront TMG,” at http://technet.microsoft.com/en-us/library/ee338733.aspx.

SoftwareandHardwareRequirements CHAPTER3 63

Software and Hardware Requirements

TherearesoftwareandhardwareprerequisitesthatmustbemettoenabletheEmailProtectionfeatureonForefrontTMG.Forhardware,youshouldstartbyassessingyourenvi-ronment’sneedsandtrafficprofile.OnceyouhavealltheinformationrelatedtothosetwomainelementsyoucanusetheForefrontTMGCapacityPlanningtool.Figure3-3showstheCapacityPlanningtoolandthefeaturelistinwhichyoucanindicatethattheMailProtectionfeatureisgoingtobeenabledinthisdeployment.

NOTE  You can download the Forefront Threat Mangagement Gateway 2010 Capacity Planning tool from http://www.microsoft.com/downloads/details.aspx?FamilyID=01b2f7a5-8165-4ead-9693-994504f66449&displaylang=en.

FIGURE 3-3

Thesoftwarerequirementsareabitmorediverseandneedtobecarefullyplanned.Table3-2showsthesoftwareneededandsupportedfortheEmailProtectionfeaturetoworkonForefrontTMG.

64 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection

TABLE 3-2 SoftwarerequirementsfortheEnableEmailProtectionfeature

SOFTWARE VERSION SUPPORTABILITY SUPPORTED PLATFORM

ExchangeEdgeRole 2007RTM Notsupported NA

ExchangeEdgeRole SP2 Supported WindowsServer2008SP2*orR2

ExchangeEdgeRole 2010 Supported WindowsServer2008SP2orR2

ForefrontProtectionforExchangeServer

2010 Supported WindowsServer2008SP2orR2

ForefrontTMG MBE Notsupported NA

ForefrontTMG 2010 Supported WindowsServer2008SP2orR2

* The Exchange team changed the supportability statement on this in November 2009. For more information, see http://msexchangeteam.com/archive/2009/11/04/453026.aspx and http://msexchangeteam.com/archive /2009/11/30/453327.aspx.

ItisimportanttoemphasizethateachpieceofsoftwarethatislistedinTable3-2hasitsownprerequisiteslistthatyouwillneedinordertoinstallthatsoftware.Ifyoudon’thaveForefrontTMGinstalledyetandwanttobuildthecompletesolution,thestepsbelowarenecessarytoenabletheEmailProtectioncapability:

1. InstallActiveDirectoryLightweightDirectoryServices(ADLDS).

2. InstalltheExchangeServerEdgeTransportrole.

3. InstallForefrontProtectionforExchangeServer.

4. InstallForefrontTMG.

NOTE  To install the Exchange 2010 software prerequisites, see the article “Exchange 2010 Prerequisites” at http://technet.microsoft.com/en-us/library/bb691354.aspx.

Installing and Configuring Email Protection

Forthepurposeofthisinstruction,thetopologyshowninFigure3-4willbeusedtoperformtheinstallationoftheExchangeEdgeroleandForefrontProtectionforExchangeServer.ThisscenarioassumesthatForefrontTMGisalreadyinstalled.

InstallingandConfiguringEmailProtection CHAPTER3 65

FIGURE 3-4

NOTE  If you are installing Forefront TMG on a standalone server in a workgroup, it will be necessary to configure the DNS suffix for the server under the computer’s Properties, Advanced System Settings.

Installing Exchange 2010 Edge Transport RoleCompletethefollowingstepstoinstalltheExchangeEdgeTransportroleonanexistingForefrontTMGinstallation:

1. InserttheExchange2010DVDandrunthesetup.msi.TheWelcomepage,showninFigure3-5,appears.

66 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection

FIGURE 3-5

2. Steps1and2aregrayedandnolongeravailable,becausethoseprerequisitesarealreadymet.ClickStep3:ChooseExchangeLanguageOption,andthenchooseInstallOnlyLanguagesFromTheDVD.

3. ClickStep4:InstallMicrosoftExchange,tostarttheExchange2010SetupWizard.OntheIntroductionpage,clickNexttocontinue.

4. OntheLicenseAgreementpage,readthelicenseterms,clickIAcceptTheTermsInTheLicenseAgreement,andthenclickNexttoproceed.

5. OntheErrorReportingpage,youcaneitherenableordisableErrorReporting.ClickYes(Recommended)toenableErrorReporting,andthenclickNexttocontinue.

6. OntheExchangeServer2010Setuppage,showninFigure3-6,selecttheInstallationType.ClickCustomExchangeServerInstallation,andthenclickNext.

InstallingandConfiguringEmailProtection CHAPTER3 67

FIGURE 3-6

7. OntheServerRoleSelectionpage,clickEdgeTransportRole,asshowninFigure3-7,andthenclickNext.

FIGURE 3-7

8. TheCustomerExperienceImprovementProgrampage,whichappearsnext,letsyouindicatewhetheryouwanttoparticipateinthisprogram.Makeaselection,andthenclickNext.

68 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection

9. TheExchangeServer2010SetupWizardstartstheReadinessChecks,whichverifythatalltheprerequisiteshavebeenmetfortheselectedrole,inthiscase,EdgeTransport.Ifallprerequisitesareinplace,theReadinessCheckspageappearsasshowninFigure3-8.ClickInstalltoproceed.

FIGURE 3-8

10. Oncetheinstallationisfinished,theExchangeServer2010SetupWizarddisplaystheCompletionpage,showninFigure3-9.CleartheFinalizeThisInstallationUsingTheExchangeManagementConsolecheckbox,andthenclickFinish.

FIGURE 3-9

InstallingandConfiguringEmailProtection CHAPTER3 69

11. OntheWelcomepage,showninFigure3-5,clickStep5:GetCriticalUpdatesForMicrosoftExchange.

12. Afterinstallingtheupdates,clickClose.

Installing Forefront Protection for Exchange ServerThestepstoinstallForefrontProtectionforExchangeServeraredescribedinChapter2,“InstallingandConfiguringForefrontProtectionforExchangeServer.”TheonlydifferencehereisthatyouwilllaunchtheFPEinstallationdirectlyfromtheForefrontTMGsetupscreen.OnceyouinserttheForefrontTMGDVD,autorunlaunchesthesetup.ChooseInstallMicrosoftForefrontProtection2010ForExchangeServer,asshowninFigure3-10.

FIGURE 3-10

ThenfollowthestepsdetailedinChapter2.

NOTE  Installing FPE from this window—that is, downloading from the Web site—is not required, although it is an option. You can install FPE directly from the installation CD. 

70 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection

Email Protection ConfigurationWhenconfiguringEmailProtectiononForefrontTMG,thefirststepaftertheinstallationofallprerequisitesistoconfigureSMTPRoutes.TheserouteswillberesponsibleforcreatingtheExchangeinboundandoutboundconnectors.Aftertheroutesareconfigured,youcanenablespamfilteringandvirusandcontentfiltering.

Email PolicyToconfiguretheEmailPolicy,youwillneed:

■ Thename/IPaddressoftheExchangeHubTransportServer.

■ ThenameoftheMXrecordthatwillbeusefortheSMTPserver.

Youwillalsoneedtodefine:

■ TheTMGnetworkinterfacethatwillcommunicatewiththisExchangeHubTransportServer.

■ TheTMGnetworkinterfacethatwillcommunicatewiththeInternet,aswellastheIPaddressthatwillbeusedtopublishtheSMTPtotheoutsideworld.

Whenyouhavethisinformation,youarereadytostarttheEmailPolicyconfiguration:

1. OpentheForefrontTMGManagementConsole,clickEmailPolicy,and,intheTaskspaneontherightsideoftheconsole,clickConfigureEmailPolicy.

2. OntheWelcomeToTheEmailPolicyWizardpage,clickNext.

3. TheInternalMailServerConfigurationstepallowsyoutodefinetwooptions:thein-ternalmailservertowhichTMGwillsendemails,andthedomainfromwhichTMGwillacceptmessages.

a. ClickAddbesideInternalMailServers,andaddtheComputerNameandIPAddressfortheExchange2007HubTransportServer;forthisscenario(shownearlierinFigure3-4),type10.20.20.11.

4. BesideAcceptedAuthoritativeDomains,clickAdd,andaddthenameofthedomainthatwillacceptmessages;forthisscenariotype*.contoso.com,asshowninFigure3-11.Ifyouhavemultipledomainswithinyourorganization,youcanenterthenamesofallofthosedomainsinthisbox.

a. ClickNexttoproceed.

InstallingandConfiguringEmailProtection CHAPTER3 71

FIGURE 3-11

5. OntheInternalEmailListenerConfigurationpage,youdefinethenetworkinterfacethatTMGwillusetocommunicatewiththeExchangeHubTransportServer.Forthisexample,selectInternal,asshowninFigure3-12,andthenclickNext.

FIGURE 3-12

6. OntheExternalEmailListenerConfigurationpage,selecttheinterfacethatwillcon-nectwiththeInternet;inthiscase,selectExternal.IfyouhavemultipleIPaddressesontheExternalinterface,youcanclickSelectAddressesandspecifyanindividualIPaddressthatwillbeusedtolistenonport25.IntheFDQNOrIPAddressbox,entertheFQDNthatwillappearastheresponsetoaHELOorEHLOSMTPcommand;inthiscase,typemail.contoso.com,asshowninFigure3-13.

72 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection

FIGURE 3-13

7. OntheEmailPolicyConfigurationpage,leaveEnableSpamFilteringandEnableVirusAndContentFilteringenabled.(Theseoptionsarediscussedinmoredetailinthe“VirusandContentFiltering”sectionlaterinthischapter.)ClickNext,andthenclickFinishtoconcludethewizard.

8. AninformationalwindowappearsaskingifyouwanttoenabletheSystempolicytoallowtheSMTPtraffic.ClickYestocontinue.TheEmailPolicytab(Figure3-14)shouldnowshowthetwoSMTPRoutesthatwerecreated.

FIGURE 3-14

9. ClickApply,typeadescriptionofthischange,clickApply,andthenclickOK.

ForefrontTMGwillupdatetheExchangeEdgeTransportconfigurationandwillcreatereceiveandsendconnectorsbasedonthesettingsthatwereselectedintheEmailPolicy

InstallingandConfiguringEmailProtection CHAPTER3 73

Wizard.ForabettermanagementexperiencebetweenEdgeandHubTransport,enableEdgeSynctrafficbyfollowingthesesteps:

1. IntheTaskspaneontheright,selecttheEnableConnectivityForEdgeSyncTraffic option.Awindowappearsinformingyouthatsystempolicieswillbeenabledtoallowthiscommunication.TMGdoesthisautomaticallybyenablingsystempolicy47(AllowLDAP/LDAPStraffictothelocalhostfortheExchangeServerEdgeSyncsynchronizationprocess).ClickOKtocontinue.

2. IntheTaskspane,clickGenerateEdgeSubscriptionFiles,choosethelocationtowhichyouwillsavethisfile,andthenclickOK.

3. Whenthefileissuccessfullyexported,aninformationalwindowappearssayingthattheEdgeSubscriptionwascreatedinthelocationthatyouchose.ClickOKtocontinue.

4. Right-clickInternal_Mail_ServersintheEmailPolicypane,andthenclickProperties.

5. ClicktheListenertab,andthenclickAdvanced.

6. MakesuretoconfigureanauthenticationmethodthatmatchesthemethodusedbyExchangeHubTransport.ThemostcommonauthenticationmethodcombinesTrans-portSecurityLayer(TLS)andExchangeServerAuthentication,asshowninFigure3-15.

FIGURE 3-15

7. ClickOKtwice,clickApply,typeadescriptionofthischange,clickApply,andthenclickOK.

8. CopytheEdgesubscriptionfilecreatedinStep2totheExchangeHubTransportServer.Then,onthatserver,opentheExchangeManagementConsole,expandOrganizationConfiguration,andthenclickHubTransport.

9. OntheHubTransportactionspane,clickNewEdgeSubscription.NexttotheActiveDirectorySitebox,clickBrowse,andthenselectDefault-First-Site-Name.NexttotheSubscriptionFilebox,clickBrowse,andthenchoosethefilegeneratedbyForefrontTMG,asshowninFigure3-16.ClickNewtoconclude.

74 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection

FIGURE 3-16

10. OntheCompletionpage,reviewtheresults,andthenclickFinish.

11. ClicktheSendConnectorstab,right-clickEdgeSync–InboundToDefault-First-Site-Name,andthenchooseProperties.

12. ClicktheNetworktab,andthenclickChange.

13. Makesurethattheauthenticationmethodselectedherematchesatleastoneauthen-ticationmethodthatwasselectedinStep6.ExchangeServerAuthenticationisselectedbydefault.ClickOKtwicetoconclude.

14. Toforcethesynchronization,opentheExchangeManagementShellprompt,typeStart-EdgeSynchronization,andclickEnter.

NOTE  For more information on EdgeSync service on Exchange, read “Understanding the EdgeSync Synchronization Process,” at http://technet.microsoft.com/en-us/library/bb232180(EXCHG.80).aspx.

Spam FilteringTheSpamFilteringoptionsonForefrontTMG,asshowninFigure3-17,arethesamespamfilteringoptionsthatareavailableontheExchangeEdgerole,asshowninFigure3-18.

InstallingandConfiguringEmailProtection CHAPTER3 75

FIGURE 3-17

FIGURE 3-18

Theanti-spamoptionsthatareavailableontheEdgeroleandconfiguredbyTMGare:

■ Content Filtering Filtersemailsbasedonthesettingsthatyoudefineforthecon-tentinspection.

■ IP Allow List LetsyouspecifyoneormoreIPaddressesthatareconsideredtobetrustedandshouldalwaysbeallowedtosendemail.

■ IP Allow List Providers LetsyoumaintainalistofIPaddressesthatareknownnottobeassociatedwithanytypeofspamactivity.

■ IP Block List LetsyoutospecifyoneormoreIPaddressesthatshouldneverbeal-lowedtoestablishanSMTPconnectionwithTMG.

■ IP Block List Providers Letsyouspecifyprovidersthatareknowntosend(oraresuspectedofsending)spam.

■ Recipient Filtering Letsyouspecifyalistofemailaddressesoradistributionlistthatwouldliketoreceiveemailsfromoutsideyourorganization.

76 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection

■ Sender Filtering Letsyoublockasourceaddressfromsendingmessagestoyourorganization.

■ Sender ID Verifiesthesourceofamessagetodeterminewhethertheorganizationiswhatitclaimstobe.

■ Sender Reputation Reliesonpersistentdataaboutthesendertodeterminewhataction,ifany,totakewhenaninboundmessagearrives.

NOTE  You can find more information about the Spam Filtering option in MicrosoftForefrontThreatManagementGateway(TMG)Administrator’sCompanion (Microsoft Press, 2010), Chapter 19, “Enhancing E-Mail Protection.” 

Virus and Content FilteringTheVirusandContentFilteringoptionsinTMG,showninFigure3-19,arethesameastheoptionsthatweredescribedinChapter2,“InstallingandConfiguringForefrontProtectionforExchangeServer.”

FIGURE 3-19

NOTE  Refer to Chapter 2, “Installing and Configuring Forefront Protection for Exchange Server,” for more information about the File Filtering, Virus Filtering, and Message Body Filtering options.

Administrator’sPunchList CHAPTER3 77

Administrator’s Punch List

Inthischapter,youlearnedaboutthewaytheEmailProtectionfeatureworks,andthewayForefrontTMGintegrateswiththeExchangeEdgeroleandwithForefrontProtec-tionforExchangeServertoimproveyouradministrativeexperience.WhendeployingEmailProtectiononForefrontTMG,keepthefollowingpointsinmind:

■ AlthoughthereisasinglepointofconfigurationforEmailProtection,itisimportantthatyouunderstandtheboundariesofeachproductinordertobetterconfiguretheprotectionandtroubleshootanyproblems.

■ Planningbeforedeploymentisalwaysthebestpracticetofollow.BesuretousetheForefrontTMGCapacityPlanningtooltocorrectlysizeyourEmailProtectionsolution.

■ KeepinmindthatyouwillneedalicenseforExchangeEdgeandalicenseforForefrontProtectionforExchange,inadditiontothelicenseforForefrontTMG,toenabletheEmailProtectionfeatureontheEdge.

■ IfyouaredeployingForefrontTMGorSP1,donotuseExchangePowerShellcmdletstomakechanges,sothatyouaresuretoavoidproblemsontheForefrontTMGManagedControlService.

■ TheinstallationprocessfortheExchangeEdgeTransportroleandForefrontProtectionforExchangeServeristhesameastheprocessspecifiedintheproductdocumentation.

■ ToallowabetterexperiencewhileadministeringExchangeHubTransportandExchangeEdge,besuretoenabletheEdgeSyncsubscription.