deploying microsoft forefront protection 2010 for exchange ... · installing forefront protection...
TRANSCRIPT
![Page 1: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/1.jpg)
Contents
Acknowledgments v
Introduction vii
CHAPTER1
PlanningForefrontProtectionforExchangeServer1
UnderstandingForefrontProtectionforExchangeServer 1
Architecture 4
SoftwareandHardwareRequirements 7
PerformanceConsiderations 8
EdgeTransportRoleConsiderations 9
HubTransportRoleConsiderations 11
MailboxRoleConsiderations 11
Administrator’sPunchList 12
Chapter2
InstallingandConfiguringForefrontProtectionforExchangeServer 13
InstallingForefrontProtectionforExchangeServer13
OpeningtheConsole 20
ConfiguringForefrontProtectionforExchangeServer 21
Anti-Malware 21
Anti-Spam 32
Filters38
OnlineProtection 51
GlobalSettings 52
Administrator’sPunchList 58
Chapter3
ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection59
UnderstandingtheForefrontTMGEmailProtectionFeature59
SoftwareandHardwareRequirements 63
InstallingandConfiguringEmailProtection 64
InstallingExchange2010EdgeTransportRole 65
InstallingForefrontProtectionforExchangeServer69
EmailProtectionConfiguration 70
Administrator’sPunchList 77
AbouttheAuthors 79
![Page 2: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/2.jpg)
PUBLISHEDBYMicrosoftPressADivisionofMicrosoftCorporationOneMicrosoftWayRedmond,Washington98052-6399
Copyright©2010byYuriDiogenesandDr.ThomasW.Shinder
Allrightsreserved.Nopartofthecontentsofthisbookmaybereproducedortransmittedinanyformorbyanymeanswithoutthewrittenpermissionofthepublisher.
LibraryofCongressControlNumber:2010935905
PrintedandboundintheUnitedStatesofAmerica.
MicrosoftPressbooksareavailablethroughbooksellersanddistributorsworldwide.Forfurtherinformationaboutinternationaleditions,contactyourlocalMicrosoftCorporationofficeorcontactMicrosoftPressInternationaldirectlyatfax(425)936-7329.VisitourWebsiteatwww.microsoft.com/[email protected].
Microsoftandthetrademarkslistedathttp://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspxaretrademarksoftheMicrosoftgroupofcompanies.Allothermarksarepropertyoftheirrespectiveowners.
Theexamplecompanies,organizations,products,domainnames,emailaddresses,logos,people,places,andeventsdepictedhereinarefictitious.Noassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,place,oreventisintendedorshouldbeinferred.
Thisbookexpressestheauthor’sviewsandopinions.Theinformationcontainedinthisbookisprovidedwithoutanyexpress,statutory,orimpliedwarranties.Neithertheauthors,MicrosoftCorporation,noritsresellers,ordistributorswillbeheldliableforanydamagescausedorallegedtobecausedeitherdirectlyorindirectlybythisbook.
Acquisitions Editor: Devon MusgraveDevelopmental Editor: Karen SzallProject Editor: Karen SzallEditorial Production: nSight, Inc.Technical Reviewer: Mitch Tulloch; Technical Review services provided by Content Master, a member of CM Group, Ltd.Cover: Tom Draper Design
BodyPartNo.X17-15051
![Page 3: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/3.jpg)
iii
Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:
www.microsoft.com/learning/booksurvey/
What do you think of this book? We want to hear from you!
Contents
Introduction vii
Chapter 1 Planning Forefront Protection for Exchange Server 1UnderstandingForefrontProtectionforExchangeServer. . . . . . . . . . . . . . 1
Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
SoftwareandHardwareRequirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
PerformanceConsiderations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
EdgeTransportRoleConsiderations 9
HubTransportRoleConsiderations 11
MailboxRoleConsiderations 11
Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Chapter 2 Installing and Configuring Forefront Protection for Exchange Server 13InstallingForefrontProtectionforExchangeServer................... 13
OpeningtheConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
ConfiguringForefrontProtectionforExchangeServer. . . . . . . . . . . . . . . . 21
Anti-Malware 21
Anti-Spam 32
Filters 38
OnlineProtection 51
GlobalSettings 52
Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
![Page 4: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/4.jpg)
iv Contents
Chapter 3 Protecting your Mail System on the Edge with Forefront TMG Email Protection 59UnderstandingtheForefrontTMGEmailProtectionFeature. . . . . . . . . . 59
SoftwareandHardwareRequirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
InstallingandConfiguringEmailProtection . . . . . . . . . . . . . . . . . . . . . . . . .64
InstallingExchange2010EdgeTransportRole 65
InstallingForefrontProtectionforExchangeServer 69
EmailProtectionConfiguration 70
Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:
www.microsoft.com/learning/booksurvey/
What do you think of this book? We want to hear from you!
![Page 5: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/5.jpg)
v
Acknowledgments
ThisMicrosoftForefrontprojecttookalmostayeartowriteandresultedinthreeseparatebooksaboutdeployingForefrontproducts.Althoughthe
authorsgetlotsofcredit,therecanbelittledoubtthatwecouldnothaveevenbegun,muchlesscompleted,thisbookwithoutthecooperation(nottomentionthepermission)ofanincrediblylargenumberofpeople.
It’sherethatwe’dliketotakeafewmomentstoexpressourgratitudetothefolkswhomadeitallpossible.
With thanks…TothefolksatMicrosoftPress,whomadetheprocessassmoothastheypossiblycould:KarenSzall,DevonMusgrave,andtheircrew.
TotheForefrontProtectionforExchangeCSSTeamwhohelpedussomuchinshapingthisbook;withspecialthanksto:RyanMcGrath,AlexandreHollanda,DanTakata,CraigWiand,andNeilCarpenter.Yourrichcontributionsarehighlyappreciated.
From YuriFirstandforemosttoGod,forblessingmylife,leadingmyway,andgivingmethestrengthtotakeonthechallengesasjustanotherstepinlife.Tomyeternalsupporterinallmomentsofmylife:mywifeAlexsandra.Tomydaughterswho,althoughveryyoung,understandwhenIclosetheofficedoorandsay,“I’mreallybusy.”Thanksforunderstanding.Iloveyou,YanneandYsis.
TomyfriendThomasShinder,whomIwasfortunateenoughtomeetthreeyearsago.Thanksforshapingmywritingskillsandalsocontributingtomypersonalgrowthwithyourthoughts,advice,andguidance.Withoutadoubt,theselongmonthsworkingonthisprojectwereworthit,becauseofouramazingpartnership.Ican’tforgettothankthetwootherfriendswhowrotetheMicrosoft Forefront Threat Management Gateway Administrator’s Companionwithme:JimHarrisonandMohitSaxena.Theywere,withoutadoubt,thepillarsofthiswritingcareerinwhichI’mnowfullyengaged.Thanks,guys.Ialsowanttothank,asJimsays,“daBoyz”:Tim“Thor”Mullen,SteveMoffat,andGregMulholland.Youguysareamazing.Thanksforsharingallthetales.
ToallthefolksfromCSSSecuritywhosupportForefrontProtectionforEx-changeonadailybasis,especiallyAndrewDavis,JessHuber,JohnMoracho,and
![Page 6: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/6.jpg)
vi
BobPayton.Youguysrock!Also,tomyfriendsfromtheExchangeTeamfortheiroutstandingpartnership,especiallyVandyRodrigues,TimHeeney,CharleneWe-ber,WillDuff,AustinMcCollum,JulioVieira,andMohammadNadeem.
From TomAsYuridoes,IacknowledgetheblessingsfromGod,whotook“afoollikeme”andguidedmeonapaththatIneverwouldhavechosenonmyown.ThesecondmostimportantacknowledgementImustmakeistomybeautifulwife,DebShin-der,whomIconsidermyhandofGod.Withouther,Idon’tknowwhereIwouldbetoday,exceptthatIknowthattheplacewouldn’tbeanywherenearasgoodastheplaceIamnow.
IalsowanttoacknowledgemygoodfriendYuriDiogenes,myco-writeronthisproject.Yurireallyheldthisprojecttogether.IhadjuststartedworkingforMicrosoftandwaslearningabouttheinsandoutsoftheMicrosoftsystem,andIwasalsotakingonalotofdetailedandcomplexprojectsalongsidethewritingofthisbook.Yurihelpedkeepmefocused,spentalotoftimepointingmeintherightdirection,andessentiallyisresponsibleforenablingmetogetdonewhatIneededtogetdone.Ihavenodoubtthat,withoutYuriguidingthiseffort,itprob-ablyneverwouldhavebeencompleted.
PropsgoouttoJimHarrison,“theKingofTMG,”aswellastoGregMulholland,SteveMoffat,andTimMullen.Youguyswerethemoralauthoritythatdroveustocompletion.IalsowanttothankMikeChanforgivingmetheopportunitytoworkasaTechnicalAccountManager(TAM)fortheBusinessProductivityOnlineSuite(BPOS)priortomyworkingforMicrosoft.
![Page 7: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/7.jpg)
vii
IntroductionWhenwebeganthisproject,ourintentwastocreateareal-worldscenario
thatwouldguideITprofessionalsinusingMicrosoftbestpracticestode-ployMicrosoftForefrontProtectionforExchangeServer(FPE)2010.Wehopeyoufindthatwehaveachievedthatgoal.We’vealsoincludedathoroughexplanationofthearchitecturalsideoftheproduct,whichweconsideranadvantageforyou,becausetheexplanationofthetechnicaldetailswasreviewedbyengineerswhoworkdirectlyontheFPEteamatMicrosoftCustomerServiceandSupport(CSS).
Thisbookprovidesadministrativeprocedures,testeddesignexamples,quickanswers,andtips.Inaddition,itcoverssomeofthemostcommondeploymentscenariosanddescribeswaystotakefulladvantageoftheproduct’scapabilities.Itcoverspre-deploymenttasks,softwareandhardwarerequirements,performanceconsiderations,andinstallationandconfiguration,usingbestpracticerecommen-dations.
Who Is This Book For?Deploying Microsoft Forefront Protection for Exchange Server2010 coversFPEinanExchangeServer2010environment.Thisbookisdesignedfor:
■ AdministratorswhoaredeployingFPE
■ AdministratorswhoareexperiencedwithWindowsServer2008andExchangeServer2010
■ CurrentForefrontSecurityforExchangeadministrators
■ AdministratorswhoarenewtoFPE
■ Technologyspecialists,suchasmessagingadministratorsandsecurityadministrators
Becausethisbookislimitedinsizeandwewanttoprovideyouwiththemaximumvalue,weassumeabasicknowledgeofWindowsServer2008,ActiveDirectory,andExchangeServer.Thesetechnologiesarenotdiscussedindetail,butthisbookcontainsmaterialonallofthesetopicsastheyrelatetoForefrontProtectionforExchange’sadministrativetasks.
![Page 8: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/8.jpg)
viii
How Is This Book Organized?Deploying Microsoft Forefront Protection for Exchange Server2010 iswrittentobeadeploymentguideandtoserveasasourceofarchitecturalinformationrelatedtotheproduct.Thebookisorganizedinsuchawaythatyoucanfollowthestepstoplananddeploytheproduct.ThestepsarebasedonadeploymentscenarioforthecompanyContoso.Asyougothroughthesteps,youwillalsonoticetipsforbestpracticesimplementation.Attheendofeachchapter,youwillseean“Administrator’sPunchList,”inwhichyouwillfindasummaryofthemainadmin-istrativetasksthatwerecoveredthroughoutthechapter.Thisisaquickchecklisttohelpyoureviewthemaindeploymenttasks.
Thebookisorganizedintothreechapterstocoverthreedeploymenttopics:planning,installationandconfiguration,andusingtheMicrosoftForefrontThreatManagementGateway(TMG)foremailprotection.
WereallyhopeyoufindtheDeploying Microsoft Forefront Protection for Exchange Server2010 usefulandaccurate.Wehaveanopendoorpolicyforemailat [email protected],andyoucancontactusthroughourpersonalblogsandTwitteraccounts:
■ http://blogs.technet.com/yuridiogenesandhttp://blogs.technet.com/tomshinder
■ http://twitter.com/yuridiogenesandhttp://twitter.com/tshinder
Support for This BookEveryefforthasbeenmadetoensuretheaccuracyofthisbook.Ascorrectionsorchangesarecollected,theywillbeaddedtotheO’ReillyMediawebsite.TofindMicrosoftPressbookandmediacorrections:
1. Gotohttp://microsoftpress.oreilly.com.
2. IntheSearchbox,typetheISBNforthebook,andclick Search.
3. Selectthebookfromthesearchresults,whichwilltakeyoutothebook’scatalogpage.
4. Onthebook’scatalogpage,underthepictureofthebookcover,clickView/SubmitErrata.
Ifyouhavequestionsregardingthebookorthecompanioncontentthatarenotansweredbyvisitingthebook’scatalogpage,pleasesendthemtoMicrosoftPressbysendinganemailmessagetomspinput@microsoft.com.
![Page 9: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/9.jpg)
ix
We Want to Hear from YouWewelcomeyourfeedbackaboutthisbook.Pleaseshareyourcommentsandideasthroughthefollowingshortsurvey:
http://www.microsoft.com/learning/booksurvey
YourparticipationhelpsMicrosoftPresscreatebooksthatbettermeetyourneedsandyourstandards.
NOTE We hope that you will give us detailed feedback in our survey. If you have questions about our publishing program, upcoming titles, or Microsoft Press in general, we encourage you to interact with us using Twitter at http://twitter.com/MicrosoftPress. For support issues, use only the email address shown earlier.
![Page 10: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/10.jpg)
![Page 11: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/11.jpg)
59
C H A P T E R 3
Protecting your Mail System on the Edge with Forefront TMG Email Protection■ UnderstandingtheForefrontTMGEmailProtectionFeature 59
■ SoftwareandHardwareRequirements 63
■ InstallingandConfiguringEmailProtection 64
Whilemaintainingasecuremessaginginfrastructurewithinyournetworkisim-portant,havingacentralrepositoryfortheconfigurationforyourEdgerolealso
hasvalue.WithMicrosoftForefrontThreatManagementGateway(TMG)2010,anewconceptofemailprotectionwasintroducedthatcombinesthethreemainproductsthatcanhelpprotectthenetworkandthemessaginginfrastructureinasinglemanagementconsole.InthischapteryouwilllearnhowtheemailprotectionfeatureworksandhowtoconfigureitonForefrontTMG.
NOTE You can find detailed information about Forefront TMG in MicrosoftForefrontThreatManagementGateway(TMG)Administrator’sCompanion (Microsoft Press, 2010).
Understanding the Forefront TMG Email Protection Feature
ForefrontTMGcomeswithanewfeaturecalledemailprotection.ThisfeatureallowstheintegrationofthreemajorcomponentsofMicrosoft’sprotectionandmessagingsolu-tion,whichare:theEdgeTransportroleofMicrosoftExchange2010,MicrosoftForefrontProtectionforExchangeServer(FPE),andForefrontTMG.Figure3-1showsthemaincomponentsofthissolution.
![Page 12: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/12.jpg)
60 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
FIGURE 3-1
TheTMGFilterdriver(FWENG)isthefirstcomponenttoreceiveemailtraffic(inabot-tomtotopapproach).FWENGrunsinkernelmode,anditperformstheinitialinspectionofapacket.Oncethisinspectionisdone,andassumingthatthetrafficisallowed,thepacketisidentifiedasbelongingtotheEmailProtectioncomponentbecauseitisanemail.Atthispoint,theExchangeEdgecomponentstakeoverandprocesstherequestviatheExchangeEdgeReceiveConnector.
AseriesofinspectionsaredoneontheExchangeside,accordingtothesystemconfigura-tion,andthenthetrafficishandedovertotheFPEcomponent.Thiscomponentdetermineswhetherornotthemessageisspam,anditscansthemessageusingothertests.Assumingthattheinspectioncompletessuccessfullyandthetrafficisallowed,theSendconnectoroftheExchangeEdgeTransportroleisusedtosendthemessagethroughtheTMGFilterdriveragain,forthefinaloutboundinspection,beforeitgoestothedestination.Table3-1showsthecorecomponentsoftheprotectionandindicatestheproductorproductsthathandleeachcomponent.
TABLE 3-1 Componentbreakdown
FEATURES EXCHANGE EDGE ROLEFOREFRONT PROTECTION FOR EXCHANGE
IPAllow/BlockLists X X
IPAllow/BlockListProviders X(Custom) X(DNSBlockListorDNSBL)
Sender/RecipientFiltering,SenderID X X
SenderReputation X
BasicContentFiltering(SmartScreen) X
PremiumAnti-spam(Cloudmark) X
![Page 13: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/13.jpg)
UnderstandingtheForefrontTMGEmailProtectionFeature CHAPTER3 61
FileFiltering X
MessageBodyFiltering X
AntivirusandAntispyware X
AfterinstallingForefrontTMG,anewservicecalledMicrosoftForefrontTMGManagedControlServicesiscreated.Thisserviceisresponsibleforhandlingthemanagedcodepor-tionofTMG,whichisusedforExchangeconfigurationandothermanagedcode.ThisservicemonitorsthestateoftheconfigurationtomakesurethatwhatisconfiguredontheTMGinterfaceandwhatispresentonExchangeEdgeandFPEareinsync.
TMGwillpolltheExchangeconfigurationperiodicallyandcompareittoitsownconfigura-tion.Ifthereisamismatch,TMGwillreconfigureExchangetomatchitsownconfiguration.TMGchecksonlythoseExchangeconfigurationelementsofwhichitisaware;itignoresset-tingsthatarenotsetupthroughtheTMGconsole.Ifaconfigurationcan’tbeset,TMGalertstheadministrator.InthecaseoftheEdgeSubscription,thepollingtakesintoaccountthefactthatonlypartoftheconfigurationiscontrolledbyForefrontTMG,andthepartnotcontrolledbyForefrontTMGwillnotbepolled.
Insummary,thedefaultbehavioroftheForefrontTMGisasfollows:
■ ChangesofemailpolicyaredoneonlythroughtheForefrontTMGconsole.
■ TheTMGManagedControlServicewillidentifythosechangesandreplicatethemwiththeothercomponents(ExchangeEdgeandForefrontProtectionforExchange).
■ IftheadministratormakeschangesdirectlyonExchangeEdgethroughtheExchangemanagementconsole,thosechangeswillbeoverwrittenbythesettingsontheForefrontTMGConsole.
■ AnalertwillappearonForefrontTMG,warningthattheemailpolicychangedandthattheconfigurationwillbereapplied.
NOTE When Exchange 2010 SP1 was released, some cmdlets were removed, causing TMG Managed Control Service to fail to start. For more information on this behavior, see http://blogs.technet.com/b/isablog/archive/2010/09/01/problems-when-installing-exchange-2010-service-pack-1-on-a-tmg-configured-for-mail-protection.aspx.
■ ChangesthatareprocessedthroughExchangePowerShellcmdletcancausetheTMGManagedControlServicetofailtostart,withtheerror0x80070057.TheworkaroundforthisistoundothosechangesusingWindowsPowerShellcmdlet.
NOTE It is expected that this behavior will be changed on Forefront TMG SP1 Update 1. With Update 1, the changes made via Exchange Edge console or Windows PowerShell will be merged and the TMG Managed Control service shouldn’t fail in such circumstances.
![Page 14: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/14.jpg)
62 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
EachofthethreeproductsthatcomprisetheemailprotectionsolutiononForefrontTMGrequiresitsownlicense.Inotherwords,youwillneedalicenseforExchangeEdgeandalicenseforForefrontProtectionforExchange,inadditiontothelicensethatyoushouldalreadyhaveforForefrontTMG.Thesolutionisvendor-independentinthesensethatitcanprotectanySMTPserverthatisbehindTMG.Youcanhaveanon-Microsoftmessagingsolu-tionintheinternalorganizationandusetheForefrontTMGemailprotectionfeatureontheEdgetoprotectthemessagingenvironment.TheonlyfeaturethatwillnotworkinthiscaseistheExchangeEdgeSubscriptionbecauseitrequiresExchangeonthebackendtowork.Figure3-2showsanetworkthathastwoemailsolutionsandisusingEmailProtectionontheEdgetofilterthetraffic.
FIGURE 3-2
NOTE The most common questions and answers about this solution can be found in “Understanding E-Mail Protection on Forefront TMG,” at http://technet.microsoft.com/en-us/library/ee338733.aspx.
![Page 15: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/15.jpg)
SoftwareandHardwareRequirements CHAPTER3 63
Software and Hardware Requirements
TherearesoftwareandhardwareprerequisitesthatmustbemettoenabletheEmailProtectionfeatureonForefrontTMG.Forhardware,youshouldstartbyassessingyourenvi-ronment’sneedsandtrafficprofile.OnceyouhavealltheinformationrelatedtothosetwomainelementsyoucanusetheForefrontTMGCapacityPlanningtool.Figure3-3showstheCapacityPlanningtoolandthefeaturelistinwhichyoucanindicatethattheMailProtectionfeatureisgoingtobeenabledinthisdeployment.
NOTE You can download the Forefront Threat Mangagement Gateway 2010 Capacity Planning tool from http://www.microsoft.com/downloads/details.aspx?FamilyID=01b2f7a5-8165-4ead-9693-994504f66449&displaylang=en.
FIGURE 3-3
Thesoftwarerequirementsareabitmorediverseandneedtobecarefullyplanned.Table3-2showsthesoftwareneededandsupportedfortheEmailProtectionfeaturetoworkonForefrontTMG.
![Page 16: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/16.jpg)
64 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
TABLE 3-2 SoftwarerequirementsfortheEnableEmailProtectionfeature
SOFTWARE VERSION SUPPORTABILITY SUPPORTED PLATFORM
ExchangeEdgeRole 2007RTM Notsupported NA
ExchangeEdgeRole SP2 Supported WindowsServer2008SP2*orR2
ExchangeEdgeRole 2010 Supported WindowsServer2008SP2orR2
ForefrontProtectionforExchangeServer
2010 Supported WindowsServer2008SP2orR2
ForefrontTMG MBE Notsupported NA
ForefrontTMG 2010 Supported WindowsServer2008SP2orR2
* The Exchange team changed the supportability statement on this in November 2009. For more information, see http://msexchangeteam.com/archive/2009/11/04/453026.aspx and http://msexchangeteam.com/archive /2009/11/30/453327.aspx.
ItisimportanttoemphasizethateachpieceofsoftwarethatislistedinTable3-2hasitsownprerequisiteslistthatyouwillneedinordertoinstallthatsoftware.Ifyoudon’thaveForefrontTMGinstalledyetandwanttobuildthecompletesolution,thestepsbelowarenecessarytoenabletheEmailProtectioncapability:
1. InstallActiveDirectoryLightweightDirectoryServices(ADLDS).
2. InstalltheExchangeServerEdgeTransportrole.
3. InstallForefrontProtectionforExchangeServer.
4. InstallForefrontTMG.
NOTE To install the Exchange 2010 software prerequisites, see the article “Exchange 2010 Prerequisites” at http://technet.microsoft.com/en-us/library/bb691354.aspx.
Installing and Configuring Email Protection
Forthepurposeofthisinstruction,thetopologyshowninFigure3-4willbeusedtoperformtheinstallationoftheExchangeEdgeroleandForefrontProtectionforExchangeServer.ThisscenarioassumesthatForefrontTMGisalreadyinstalled.
![Page 17: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/17.jpg)
InstallingandConfiguringEmailProtection CHAPTER3 65
FIGURE 3-4
NOTE If you are installing Forefront TMG on a standalone server in a workgroup, it will be necessary to configure the DNS suffix for the server under the computer’s Properties, Advanced System Settings.
Installing Exchange 2010 Edge Transport RoleCompletethefollowingstepstoinstalltheExchangeEdgeTransportroleonanexistingForefrontTMGinstallation:
1. InserttheExchange2010DVDandrunthesetup.msi.TheWelcomepage,showninFigure3-5,appears.
![Page 18: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/18.jpg)
66 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
FIGURE 3-5
2. Steps1and2aregrayedandnolongeravailable,becausethoseprerequisitesarealreadymet.ClickStep3:ChooseExchangeLanguageOption,andthenchooseInstallOnlyLanguagesFromTheDVD.
3. ClickStep4:InstallMicrosoftExchange,tostarttheExchange2010SetupWizard.OntheIntroductionpage,clickNexttocontinue.
4. OntheLicenseAgreementpage,readthelicenseterms,clickIAcceptTheTermsInTheLicenseAgreement,andthenclickNexttoproceed.
5. OntheErrorReportingpage,youcaneitherenableordisableErrorReporting.ClickYes(Recommended)toenableErrorReporting,andthenclickNexttocontinue.
6. OntheExchangeServer2010Setuppage,showninFigure3-6,selecttheInstallationType.ClickCustomExchangeServerInstallation,andthenclickNext.
![Page 19: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/19.jpg)
InstallingandConfiguringEmailProtection CHAPTER3 67
FIGURE 3-6
7. OntheServerRoleSelectionpage,clickEdgeTransportRole,asshowninFigure3-7,andthenclickNext.
FIGURE 3-7
8. TheCustomerExperienceImprovementProgrampage,whichappearsnext,letsyouindicatewhetheryouwanttoparticipateinthisprogram.Makeaselection,andthenclickNext.
![Page 20: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/20.jpg)
68 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
9. TheExchangeServer2010SetupWizardstartstheReadinessChecks,whichverifythatalltheprerequisiteshavebeenmetfortheselectedrole,inthiscase,EdgeTransport.Ifallprerequisitesareinplace,theReadinessCheckspageappearsasshowninFigure3-8.ClickInstalltoproceed.
FIGURE 3-8
10. Oncetheinstallationisfinished,theExchangeServer2010SetupWizarddisplaystheCompletionpage,showninFigure3-9.CleartheFinalizeThisInstallationUsingTheExchangeManagementConsolecheckbox,andthenclickFinish.
FIGURE 3-9
![Page 21: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/21.jpg)
InstallingandConfiguringEmailProtection CHAPTER3 69
11. OntheWelcomepage,showninFigure3-5,clickStep5:GetCriticalUpdatesForMicrosoftExchange.
12. Afterinstallingtheupdates,clickClose.
Installing Forefront Protection for Exchange ServerThestepstoinstallForefrontProtectionforExchangeServeraredescribedinChapter2,“InstallingandConfiguringForefrontProtectionforExchangeServer.”TheonlydifferencehereisthatyouwilllaunchtheFPEinstallationdirectlyfromtheForefrontTMGsetupscreen.OnceyouinserttheForefrontTMGDVD,autorunlaunchesthesetup.ChooseInstallMicrosoftForefrontProtection2010ForExchangeServer,asshowninFigure3-10.
FIGURE 3-10
ThenfollowthestepsdetailedinChapter2.
NOTE Installing FPE from this window—that is, downloading from the Web site—is not required, although it is an option. You can install FPE directly from the installation CD.
![Page 22: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/22.jpg)
70 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
Email Protection ConfigurationWhenconfiguringEmailProtectiononForefrontTMG,thefirststepaftertheinstallationofallprerequisitesistoconfigureSMTPRoutes.TheserouteswillberesponsibleforcreatingtheExchangeinboundandoutboundconnectors.Aftertheroutesareconfigured,youcanenablespamfilteringandvirusandcontentfiltering.
Email PolicyToconfiguretheEmailPolicy,youwillneed:
■ Thename/IPaddressoftheExchangeHubTransportServer.
■ ThenameoftheMXrecordthatwillbeusefortheSMTPserver.
Youwillalsoneedtodefine:
■ TheTMGnetworkinterfacethatwillcommunicatewiththisExchangeHubTransportServer.
■ TheTMGnetworkinterfacethatwillcommunicatewiththeInternet,aswellastheIPaddressthatwillbeusedtopublishtheSMTPtotheoutsideworld.
Whenyouhavethisinformation,youarereadytostarttheEmailPolicyconfiguration:
1. OpentheForefrontTMGManagementConsole,clickEmailPolicy,and,intheTaskspaneontherightsideoftheconsole,clickConfigureEmailPolicy.
2. OntheWelcomeToTheEmailPolicyWizardpage,clickNext.
3. TheInternalMailServerConfigurationstepallowsyoutodefinetwooptions:thein-ternalmailservertowhichTMGwillsendemails,andthedomainfromwhichTMGwillacceptmessages.
a. ClickAddbesideInternalMailServers,andaddtheComputerNameandIPAddressfortheExchange2007HubTransportServer;forthisscenario(shownearlierinFigure3-4),type10.20.20.11.
4. BesideAcceptedAuthoritativeDomains,clickAdd,andaddthenameofthedomainthatwillacceptmessages;forthisscenariotype*.contoso.com,asshowninFigure3-11.Ifyouhavemultipledomainswithinyourorganization,youcanenterthenamesofallofthosedomainsinthisbox.
a. ClickNexttoproceed.
![Page 23: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/23.jpg)
InstallingandConfiguringEmailProtection CHAPTER3 71
FIGURE 3-11
5. OntheInternalEmailListenerConfigurationpage,youdefinethenetworkinterfacethatTMGwillusetocommunicatewiththeExchangeHubTransportServer.Forthisexample,selectInternal,asshowninFigure3-12,andthenclickNext.
FIGURE 3-12
6. OntheExternalEmailListenerConfigurationpage,selecttheinterfacethatwillcon-nectwiththeInternet;inthiscase,selectExternal.IfyouhavemultipleIPaddressesontheExternalinterface,youcanclickSelectAddressesandspecifyanindividualIPaddressthatwillbeusedtolistenonport25.IntheFDQNOrIPAddressbox,entertheFQDNthatwillappearastheresponsetoaHELOorEHLOSMTPcommand;inthiscase,typemail.contoso.com,asshowninFigure3-13.
![Page 24: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/24.jpg)
72 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
FIGURE 3-13
7. OntheEmailPolicyConfigurationpage,leaveEnableSpamFilteringandEnableVirusAndContentFilteringenabled.(Theseoptionsarediscussedinmoredetailinthe“VirusandContentFiltering”sectionlaterinthischapter.)ClickNext,andthenclickFinishtoconcludethewizard.
8. AninformationalwindowappearsaskingifyouwanttoenabletheSystempolicytoallowtheSMTPtraffic.ClickYestocontinue.TheEmailPolicytab(Figure3-14)shouldnowshowthetwoSMTPRoutesthatwerecreated.
FIGURE 3-14
9. ClickApply,typeadescriptionofthischange,clickApply,andthenclickOK.
ForefrontTMGwillupdatetheExchangeEdgeTransportconfigurationandwillcreatereceiveandsendconnectorsbasedonthesettingsthatwereselectedintheEmailPolicy
![Page 25: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/25.jpg)
InstallingandConfiguringEmailProtection CHAPTER3 73
Wizard.ForabettermanagementexperiencebetweenEdgeandHubTransport,enableEdgeSynctrafficbyfollowingthesesteps:
1. IntheTaskspaneontheright,selecttheEnableConnectivityForEdgeSyncTraffic option.Awindowappearsinformingyouthatsystempolicieswillbeenabledtoallowthiscommunication.TMGdoesthisautomaticallybyenablingsystempolicy47(AllowLDAP/LDAPStraffictothelocalhostfortheExchangeServerEdgeSyncsynchronizationprocess).ClickOKtocontinue.
2. IntheTaskspane,clickGenerateEdgeSubscriptionFiles,choosethelocationtowhichyouwillsavethisfile,andthenclickOK.
3. Whenthefileissuccessfullyexported,aninformationalwindowappearssayingthattheEdgeSubscriptionwascreatedinthelocationthatyouchose.ClickOKtocontinue.
4. Right-clickInternal_Mail_ServersintheEmailPolicypane,andthenclickProperties.
5. ClicktheListenertab,andthenclickAdvanced.
6. MakesuretoconfigureanauthenticationmethodthatmatchesthemethodusedbyExchangeHubTransport.ThemostcommonauthenticationmethodcombinesTrans-portSecurityLayer(TLS)andExchangeServerAuthentication,asshowninFigure3-15.
FIGURE 3-15
7. ClickOKtwice,clickApply,typeadescriptionofthischange,clickApply,andthenclickOK.
8. CopytheEdgesubscriptionfilecreatedinStep2totheExchangeHubTransportServer.Then,onthatserver,opentheExchangeManagementConsole,expandOrganizationConfiguration,andthenclickHubTransport.
9. OntheHubTransportactionspane,clickNewEdgeSubscription.NexttotheActiveDirectorySitebox,clickBrowse,andthenselectDefault-First-Site-Name.NexttotheSubscriptionFilebox,clickBrowse,andthenchoosethefilegeneratedbyForefrontTMG,asshowninFigure3-16.ClickNewtoconclude.
![Page 26: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/26.jpg)
74 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
FIGURE 3-16
10. OntheCompletionpage,reviewtheresults,andthenclickFinish.
11. ClicktheSendConnectorstab,right-clickEdgeSync–InboundToDefault-First-Site-Name,andthenchooseProperties.
12. ClicktheNetworktab,andthenclickChange.
13. Makesurethattheauthenticationmethodselectedherematchesatleastoneauthen-ticationmethodthatwasselectedinStep6.ExchangeServerAuthenticationisselectedbydefault.ClickOKtwicetoconclude.
14. Toforcethesynchronization,opentheExchangeManagementShellprompt,typeStart-EdgeSynchronization,andclickEnter.
NOTE For more information on EdgeSync service on Exchange, read “Understanding the EdgeSync Synchronization Process,” at http://technet.microsoft.com/en-us/library/bb232180(EXCHG.80).aspx.
Spam FilteringTheSpamFilteringoptionsonForefrontTMG,asshowninFigure3-17,arethesamespamfilteringoptionsthatareavailableontheExchangeEdgerole,asshowninFigure3-18.
![Page 27: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/27.jpg)
InstallingandConfiguringEmailProtection CHAPTER3 75
FIGURE 3-17
FIGURE 3-18
Theanti-spamoptionsthatareavailableontheEdgeroleandconfiguredbyTMGare:
■ Content Filtering Filtersemailsbasedonthesettingsthatyoudefineforthecon-tentinspection.
■ IP Allow List LetsyouspecifyoneormoreIPaddressesthatareconsideredtobetrustedandshouldalwaysbeallowedtosendemail.
■ IP Allow List Providers LetsyoumaintainalistofIPaddressesthatareknownnottobeassociatedwithanytypeofspamactivity.
■ IP Block List LetsyoutospecifyoneormoreIPaddressesthatshouldneverbeal-lowedtoestablishanSMTPconnectionwithTMG.
■ IP Block List Providers Letsyouspecifyprovidersthatareknowntosend(oraresuspectedofsending)spam.
■ Recipient Filtering Letsyouspecifyalistofemailaddressesoradistributionlistthatwouldliketoreceiveemailsfromoutsideyourorganization.
![Page 28: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/28.jpg)
76 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
■ Sender Filtering Letsyoublockasourceaddressfromsendingmessagestoyourorganization.
■ Sender ID Verifiesthesourceofamessagetodeterminewhethertheorganizationiswhatitclaimstobe.
■ Sender Reputation Reliesonpersistentdataaboutthesendertodeterminewhataction,ifany,totakewhenaninboundmessagearrives.
NOTE You can find more information about the Spam Filtering option in MicrosoftForefrontThreatManagementGateway(TMG)Administrator’sCompanion (Microsoft Press, 2010), Chapter 19, “Enhancing E-Mail Protection.”
Virus and Content FilteringTheVirusandContentFilteringoptionsinTMG,showninFigure3-19,arethesameastheoptionsthatweredescribedinChapter2,“InstallingandConfiguringForefrontProtectionforExchangeServer.”
FIGURE 3-19
NOTE Refer to Chapter 2, “Installing and Configuring Forefront Protection for Exchange Server,” for more information about the File Filtering, Virus Filtering, and Message Body Filtering options.
![Page 29: Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection for Exchange Server 13 Opening the Console 20 Configuring Forefront Protection for](https://reader036.vdocuments.mx/reader036/viewer/2022062605/5fd227f2c33c054dd050a9ee/html5/thumbnails/29.jpg)
Administrator’sPunchList CHAPTER3 77
Administrator’s Punch List
Inthischapter,youlearnedaboutthewaytheEmailProtectionfeatureworks,andthewayForefrontTMGintegrateswiththeExchangeEdgeroleandwithForefrontProtec-tionforExchangeServertoimproveyouradministrativeexperience.WhendeployingEmailProtectiononForefrontTMG,keepthefollowingpointsinmind:
■ AlthoughthereisasinglepointofconfigurationforEmailProtection,itisimportantthatyouunderstandtheboundariesofeachproductinordertobetterconfiguretheprotectionandtroubleshootanyproblems.
■ Planningbeforedeploymentisalwaysthebestpracticetofollow.BesuretousetheForefrontTMGCapacityPlanningtooltocorrectlysizeyourEmailProtectionsolution.
■ KeepinmindthatyouwillneedalicenseforExchangeEdgeandalicenseforForefrontProtectionforExchange,inadditiontothelicenseforForefrontTMG,toenabletheEmailProtectionfeatureontheEdge.
■ IfyouaredeployingForefrontTMGorSP1,donotuseExchangePowerShellcmdletstomakechanges,sothatyouaresuretoavoidproblemsontheForefrontTMGManagedControlService.
■ TheinstallationprocessfortheExchangeEdgeTransportroleandForefrontProtectionforExchangeServeristhesameastheprocessspecifiedintheproductdocumentation.
■ ToallowabetterexperiencewhileadministeringExchangeHubTransportandExchangeEdge,besuretoenabletheEdgeSyncsubscription.