Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection...
Transcript of Deploying Microsoft Forefront Protection 2010 for Exchange ... · Installing Forefront Protection...
Contents
Acknowledgments v
Introduction vii
CHAPTER1
PlanningForefrontProtectionforExchangeServer1
UnderstandingForefrontProtectionforExchangeServer 1
Architecture 4
SoftwareandHardwareRequirements 7
PerformanceConsiderations 8
EdgeTransportRoleConsiderations 9
HubTransportRoleConsiderations 11
MailboxRoleConsiderations 11
Administrator’sPunchList 12
Chapter2
InstallingandConfiguringForefrontProtectionforExchangeServer 13
InstallingForefrontProtectionforExchangeServer13
OpeningtheConsole 20
ConfiguringForefrontProtectionforExchangeServer 21
Anti-Malware 21
Anti-Spam 32
Filters38
OnlineProtection 51
GlobalSettings 52
Administrator’sPunchList 58
Chapter3
ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection59
UnderstandingtheForefrontTMGEmailProtectionFeature59
SoftwareandHardwareRequirements 63
InstallingandConfiguringEmailProtection 64
InstallingExchange2010EdgeTransportRole 65
InstallingForefrontProtectionforExchangeServer69
EmailProtectionConfiguration 70
Administrator’sPunchList 77
AbouttheAuthors 79
PUBLISHEDBYMicrosoftPressADivisionofMicrosoftCorporationOneMicrosoftWayRedmond,Washington98052-6399
Copyright©2010byYuriDiogenesandDr.ThomasW.Shinder
Allrightsreserved.Nopartofthecontentsofthisbookmaybereproducedortransmittedinanyformorbyanymeanswithoutthewrittenpermissionofthepublisher.
LibraryofCongressControlNumber:2010935905
PrintedandboundintheUnitedStatesofAmerica.
MicrosoftPressbooksareavailablethroughbooksellersanddistributorsworldwide.Forfurtherinformationaboutinternationaleditions,contactyourlocalMicrosoftCorporationofficeorcontactMicrosoftPressInternationaldirectlyatfax(425)936-7329.VisitourWebsiteatwww.microsoft.com/[email protected].
Microsoftandthetrademarkslistedathttp://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspxaretrademarksoftheMicrosoftgroupofcompanies.Allothermarksarepropertyoftheirrespectiveowners.
Theexamplecompanies,organizations,products,domainnames,emailaddresses,logos,people,places,andeventsdepictedhereinarefictitious.Noassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,place,oreventisintendedorshouldbeinferred.
Thisbookexpressestheauthor’sviewsandopinions.Theinformationcontainedinthisbookisprovidedwithoutanyexpress,statutory,orimpliedwarranties.Neithertheauthors,MicrosoftCorporation,noritsresellers,ordistributorswillbeheldliableforanydamagescausedorallegedtobecausedeitherdirectlyorindirectlybythisbook.
Acquisitions Editor: Devon MusgraveDevelopmental Editor: Karen SzallProject Editor: Karen SzallEditorial Production: nSight, Inc.Technical Reviewer: Mitch Tulloch; Technical Review services provided by Content Master, a member of CM Group, Ltd.Cover: Tom Draper Design
BodyPartNo.X17-15051
iii
Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:
www.microsoft.com/learning/booksurvey/
What do you think of this book? We want to hear from you!
Contents
Introduction vii
Chapter 1 Planning Forefront Protection for Exchange Server 1UnderstandingForefrontProtectionforExchangeServer. . . . . . . . . . . . . . 1
Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
SoftwareandHardwareRequirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
PerformanceConsiderations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
EdgeTransportRoleConsiderations 9
HubTransportRoleConsiderations 11
MailboxRoleConsiderations 11
Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Chapter 2 Installing and Configuring Forefront Protection for Exchange Server 13InstallingForefrontProtectionforExchangeServer................... 13
OpeningtheConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
ConfiguringForefrontProtectionforExchangeServer. . . . . . . . . . . . . . . . 21
Anti-Malware 21
Anti-Spam 32
Filters 38
OnlineProtection 51
GlobalSettings 52
Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
iv Contents
Chapter 3 Protecting your Mail System on the Edge with Forefront TMG Email Protection 59UnderstandingtheForefrontTMGEmailProtectionFeature. . . . . . . . . . 59
SoftwareandHardwareRequirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
InstallingandConfiguringEmailProtection . . . . . . . . . . . . . . . . . . . . . . . . .64
InstallingExchange2010EdgeTransportRole 65
InstallingForefrontProtectionforExchangeServer 69
EmailProtectionConfiguration 70
Administrator’sPunchList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:
www.microsoft.com/learning/booksurvey/
What do you think of this book? We want to hear from you!
v
Acknowledgments
ThisMicrosoftForefrontprojecttookalmostayeartowriteandresultedinthreeseparatebooksaboutdeployingForefrontproducts.Althoughthe
authorsgetlotsofcredit,therecanbelittledoubtthatwecouldnothaveevenbegun,muchlesscompleted,thisbookwithoutthecooperation(nottomentionthepermission)ofanincrediblylargenumberofpeople.
It’sherethatwe’dliketotakeafewmomentstoexpressourgratitudetothefolkswhomadeitallpossible.
With thanks…TothefolksatMicrosoftPress,whomadetheprocessassmoothastheypossiblycould:KarenSzall,DevonMusgrave,andtheircrew.
TotheForefrontProtectionforExchangeCSSTeamwhohelpedussomuchinshapingthisbook;withspecialthanksto:RyanMcGrath,AlexandreHollanda,DanTakata,CraigWiand,andNeilCarpenter.Yourrichcontributionsarehighlyappreciated.
From YuriFirstandforemosttoGod,forblessingmylife,leadingmyway,andgivingmethestrengthtotakeonthechallengesasjustanotherstepinlife.Tomyeternalsupporterinallmomentsofmylife:mywifeAlexsandra.Tomydaughterswho,althoughveryyoung,understandwhenIclosetheofficedoorandsay,“I’mreallybusy.”Thanksforunderstanding.Iloveyou,YanneandYsis.
TomyfriendThomasShinder,whomIwasfortunateenoughtomeetthreeyearsago.Thanksforshapingmywritingskillsandalsocontributingtomypersonalgrowthwithyourthoughts,advice,andguidance.Withoutadoubt,theselongmonthsworkingonthisprojectwereworthit,becauseofouramazingpartnership.Ican’tforgettothankthetwootherfriendswhowrotetheMicrosoft Forefront Threat Management Gateway Administrator’s Companionwithme:JimHarrisonandMohitSaxena.Theywere,withoutadoubt,thepillarsofthiswritingcareerinwhichI’mnowfullyengaged.Thanks,guys.Ialsowanttothank,asJimsays,“daBoyz”:Tim“Thor”Mullen,SteveMoffat,andGregMulholland.Youguysareamazing.Thanksforsharingallthetales.
ToallthefolksfromCSSSecuritywhosupportForefrontProtectionforEx-changeonadailybasis,especiallyAndrewDavis,JessHuber,JohnMoracho,and
vi
BobPayton.Youguysrock!Also,tomyfriendsfromtheExchangeTeamfortheiroutstandingpartnership,especiallyVandyRodrigues,TimHeeney,CharleneWe-ber,WillDuff,AustinMcCollum,JulioVieira,andMohammadNadeem.
From TomAsYuridoes,IacknowledgetheblessingsfromGod,whotook“afoollikeme”andguidedmeonapaththatIneverwouldhavechosenonmyown.ThesecondmostimportantacknowledgementImustmakeistomybeautifulwife,DebShin-der,whomIconsidermyhandofGod.Withouther,Idon’tknowwhereIwouldbetoday,exceptthatIknowthattheplacewouldn’tbeanywherenearasgoodastheplaceIamnow.
IalsowanttoacknowledgemygoodfriendYuriDiogenes,myco-writeronthisproject.Yurireallyheldthisprojecttogether.IhadjuststartedworkingforMicrosoftandwaslearningabouttheinsandoutsoftheMicrosoftsystem,andIwasalsotakingonalotofdetailedandcomplexprojectsalongsidethewritingofthisbook.Yurihelpedkeepmefocused,spentalotoftimepointingmeintherightdirection,andessentiallyisresponsibleforenablingmetogetdonewhatIneededtogetdone.Ihavenodoubtthat,withoutYuriguidingthiseffort,itprob-ablyneverwouldhavebeencompleted.
PropsgoouttoJimHarrison,“theKingofTMG,”aswellastoGregMulholland,SteveMoffat,andTimMullen.Youguyswerethemoralauthoritythatdroveustocompletion.IalsowanttothankMikeChanforgivingmetheopportunitytoworkasaTechnicalAccountManager(TAM)fortheBusinessProductivityOnlineSuite(BPOS)priortomyworkingforMicrosoft.
vii
IntroductionWhenwebeganthisproject,ourintentwastocreateareal-worldscenario
thatwouldguideITprofessionalsinusingMicrosoftbestpracticestode-ployMicrosoftForefrontProtectionforExchangeServer(FPE)2010.Wehopeyoufindthatwehaveachievedthatgoal.We’vealsoincludedathoroughexplanationofthearchitecturalsideoftheproduct,whichweconsideranadvantageforyou,becausetheexplanationofthetechnicaldetailswasreviewedbyengineerswhoworkdirectlyontheFPEteamatMicrosoftCustomerServiceandSupport(CSS).
Thisbookprovidesadministrativeprocedures,testeddesignexamples,quickanswers,andtips.Inaddition,itcoverssomeofthemostcommondeploymentscenariosanddescribeswaystotakefulladvantageoftheproduct’scapabilities.Itcoverspre-deploymenttasks,softwareandhardwarerequirements,performanceconsiderations,andinstallationandconfiguration,usingbestpracticerecommen-dations.
Who Is This Book For?Deploying Microsoft Forefront Protection for Exchange Server2010 coversFPEinanExchangeServer2010environment.Thisbookisdesignedfor:
■ AdministratorswhoaredeployingFPE
■ AdministratorswhoareexperiencedwithWindowsServer2008andExchangeServer2010
■ CurrentForefrontSecurityforExchangeadministrators
■ AdministratorswhoarenewtoFPE
■ Technologyspecialists,suchasmessagingadministratorsandsecurityadministrators
Becausethisbookislimitedinsizeandwewanttoprovideyouwiththemaximumvalue,weassumeabasicknowledgeofWindowsServer2008,ActiveDirectory,andExchangeServer.Thesetechnologiesarenotdiscussedindetail,butthisbookcontainsmaterialonallofthesetopicsastheyrelatetoForefrontProtectionforExchange’sadministrativetasks.
viii
How Is This Book Organized?Deploying Microsoft Forefront Protection for Exchange Server2010 iswrittentobeadeploymentguideandtoserveasasourceofarchitecturalinformationrelatedtotheproduct.Thebookisorganizedinsuchawaythatyoucanfollowthestepstoplananddeploytheproduct.ThestepsarebasedonadeploymentscenarioforthecompanyContoso.Asyougothroughthesteps,youwillalsonoticetipsforbestpracticesimplementation.Attheendofeachchapter,youwillseean“Administrator’sPunchList,”inwhichyouwillfindasummaryofthemainadmin-istrativetasksthatwerecoveredthroughoutthechapter.Thisisaquickchecklisttohelpyoureviewthemaindeploymenttasks.
Thebookisorganizedintothreechapterstocoverthreedeploymenttopics:planning,installationandconfiguration,andusingtheMicrosoftForefrontThreatManagementGateway(TMG)foremailprotection.
WereallyhopeyoufindtheDeploying Microsoft Forefront Protection for Exchange Server2010 usefulandaccurate.Wehaveanopendoorpolicyforemailat [email protected],andyoucancontactusthroughourpersonalblogsandTwitteraccounts:
■ http://blogs.technet.com/yuridiogenesandhttp://blogs.technet.com/tomshinder
■ http://twitter.com/yuridiogenesandhttp://twitter.com/tshinder
Support for This BookEveryefforthasbeenmadetoensuretheaccuracyofthisbook.Ascorrectionsorchangesarecollected,theywillbeaddedtotheO’ReillyMediawebsite.TofindMicrosoftPressbookandmediacorrections:
1. Gotohttp://microsoftpress.oreilly.com.
2. IntheSearchbox,typetheISBNforthebook,andclick Search.
3. Selectthebookfromthesearchresults,whichwilltakeyoutothebook’scatalogpage.
4. Onthebook’scatalogpage,underthepictureofthebookcover,clickView/SubmitErrata.
Ifyouhavequestionsregardingthebookorthecompanioncontentthatarenotansweredbyvisitingthebook’scatalogpage,pleasesendthemtoMicrosoftPressbysendinganemailmessagetomspinput@microsoft.com.
ix
We Want to Hear from YouWewelcomeyourfeedbackaboutthisbook.Pleaseshareyourcommentsandideasthroughthefollowingshortsurvey:
http://www.microsoft.com/learning/booksurvey
YourparticipationhelpsMicrosoftPresscreatebooksthatbettermeetyourneedsandyourstandards.
NOTE We hope that you will give us detailed feedback in our survey. If you have questions about our publishing program, upcoming titles, or Microsoft Press in general, we encourage you to interact with us using Twitter at http://twitter.com/MicrosoftPress. For support issues, use only the email address shown earlier.
59
C H A P T E R 3
Protecting your Mail System on the Edge with Forefront TMG Email Protection■ UnderstandingtheForefrontTMGEmailProtectionFeature 59
■ SoftwareandHardwareRequirements 63
■ InstallingandConfiguringEmailProtection 64
Whilemaintainingasecuremessaginginfrastructurewithinyournetworkisim-portant,havingacentralrepositoryfortheconfigurationforyourEdgerolealso
hasvalue.WithMicrosoftForefrontThreatManagementGateway(TMG)2010,anewconceptofemailprotectionwasintroducedthatcombinesthethreemainproductsthatcanhelpprotectthenetworkandthemessaginginfrastructureinasinglemanagementconsole.InthischapteryouwilllearnhowtheemailprotectionfeatureworksandhowtoconfigureitonForefrontTMG.
NOTE You can find detailed information about Forefront TMG in MicrosoftForefrontThreatManagementGateway(TMG)Administrator’sCompanion (Microsoft Press, 2010).
Understanding the Forefront TMG Email Protection Feature
ForefrontTMGcomeswithanewfeaturecalledemailprotection.ThisfeatureallowstheintegrationofthreemajorcomponentsofMicrosoft’sprotectionandmessagingsolu-tion,whichare:theEdgeTransportroleofMicrosoftExchange2010,MicrosoftForefrontProtectionforExchangeServer(FPE),andForefrontTMG.Figure3-1showsthemaincomponentsofthissolution.
60 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
FIGURE 3-1
TheTMGFilterdriver(FWENG)isthefirstcomponenttoreceiveemailtraffic(inabot-tomtotopapproach).FWENGrunsinkernelmode,anditperformstheinitialinspectionofapacket.Oncethisinspectionisdone,andassumingthatthetrafficisallowed,thepacketisidentifiedasbelongingtotheEmailProtectioncomponentbecauseitisanemail.Atthispoint,theExchangeEdgecomponentstakeoverandprocesstherequestviatheExchangeEdgeReceiveConnector.
AseriesofinspectionsaredoneontheExchangeside,accordingtothesystemconfigura-tion,andthenthetrafficishandedovertotheFPEcomponent.Thiscomponentdetermineswhetherornotthemessageisspam,anditscansthemessageusingothertests.Assumingthattheinspectioncompletessuccessfullyandthetrafficisallowed,theSendconnectoroftheExchangeEdgeTransportroleisusedtosendthemessagethroughtheTMGFilterdriveragain,forthefinaloutboundinspection,beforeitgoestothedestination.Table3-1showsthecorecomponentsoftheprotectionandindicatestheproductorproductsthathandleeachcomponent.
TABLE 3-1 Componentbreakdown
FEATURES EXCHANGE EDGE ROLEFOREFRONT PROTECTION FOR EXCHANGE
IPAllow/BlockLists X X
IPAllow/BlockListProviders X(Custom) X(DNSBlockListorDNSBL)
Sender/RecipientFiltering,SenderID X X
SenderReputation X
BasicContentFiltering(SmartScreen) X
PremiumAnti-spam(Cloudmark) X
UnderstandingtheForefrontTMGEmailProtectionFeature CHAPTER3 61
FileFiltering X
MessageBodyFiltering X
AntivirusandAntispyware X
AfterinstallingForefrontTMG,anewservicecalledMicrosoftForefrontTMGManagedControlServicesiscreated.Thisserviceisresponsibleforhandlingthemanagedcodepor-tionofTMG,whichisusedforExchangeconfigurationandothermanagedcode.ThisservicemonitorsthestateoftheconfigurationtomakesurethatwhatisconfiguredontheTMGinterfaceandwhatispresentonExchangeEdgeandFPEareinsync.
TMGwillpolltheExchangeconfigurationperiodicallyandcompareittoitsownconfigura-tion.Ifthereisamismatch,TMGwillreconfigureExchangetomatchitsownconfiguration.TMGchecksonlythoseExchangeconfigurationelementsofwhichitisaware;itignoresset-tingsthatarenotsetupthroughtheTMGconsole.Ifaconfigurationcan’tbeset,TMGalertstheadministrator.InthecaseoftheEdgeSubscription,thepollingtakesintoaccountthefactthatonlypartoftheconfigurationiscontrolledbyForefrontTMG,andthepartnotcontrolledbyForefrontTMGwillnotbepolled.
Insummary,thedefaultbehavioroftheForefrontTMGisasfollows:
■ ChangesofemailpolicyaredoneonlythroughtheForefrontTMGconsole.
■ TheTMGManagedControlServicewillidentifythosechangesandreplicatethemwiththeothercomponents(ExchangeEdgeandForefrontProtectionforExchange).
■ IftheadministratormakeschangesdirectlyonExchangeEdgethroughtheExchangemanagementconsole,thosechangeswillbeoverwrittenbythesettingsontheForefrontTMGConsole.
■ AnalertwillappearonForefrontTMG,warningthattheemailpolicychangedandthattheconfigurationwillbereapplied.
NOTE When Exchange 2010 SP1 was released, some cmdlets were removed, causing TMG Managed Control Service to fail to start. For more information on this behavior, see http://blogs.technet.com/b/isablog/archive/2010/09/01/problems-when-installing-exchange-2010-service-pack-1-on-a-tmg-configured-for-mail-protection.aspx.
■ ChangesthatareprocessedthroughExchangePowerShellcmdletcancausetheTMGManagedControlServicetofailtostart,withtheerror0x80070057.TheworkaroundforthisistoundothosechangesusingWindowsPowerShellcmdlet.
NOTE It is expected that this behavior will be changed on Forefront TMG SP1 Update 1. With Update 1, the changes made via Exchange Edge console or Windows PowerShell will be merged and the TMG Managed Control service shouldn’t fail in such circumstances.
62 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
EachofthethreeproductsthatcomprisetheemailprotectionsolutiononForefrontTMGrequiresitsownlicense.Inotherwords,youwillneedalicenseforExchangeEdgeandalicenseforForefrontProtectionforExchange,inadditiontothelicensethatyoushouldalreadyhaveforForefrontTMG.Thesolutionisvendor-independentinthesensethatitcanprotectanySMTPserverthatisbehindTMG.Youcanhaveanon-Microsoftmessagingsolu-tionintheinternalorganizationandusetheForefrontTMGemailprotectionfeatureontheEdgetoprotectthemessagingenvironment.TheonlyfeaturethatwillnotworkinthiscaseistheExchangeEdgeSubscriptionbecauseitrequiresExchangeonthebackendtowork.Figure3-2showsanetworkthathastwoemailsolutionsandisusingEmailProtectionontheEdgetofilterthetraffic.
FIGURE 3-2
NOTE The most common questions and answers about this solution can be found in “Understanding E-Mail Protection on Forefront TMG,” at http://technet.microsoft.com/en-us/library/ee338733.aspx.
SoftwareandHardwareRequirements CHAPTER3 63
Software and Hardware Requirements
TherearesoftwareandhardwareprerequisitesthatmustbemettoenabletheEmailProtectionfeatureonForefrontTMG.Forhardware,youshouldstartbyassessingyourenvi-ronment’sneedsandtrafficprofile.OnceyouhavealltheinformationrelatedtothosetwomainelementsyoucanusetheForefrontTMGCapacityPlanningtool.Figure3-3showstheCapacityPlanningtoolandthefeaturelistinwhichyoucanindicatethattheMailProtectionfeatureisgoingtobeenabledinthisdeployment.
NOTE You can download the Forefront Threat Mangagement Gateway 2010 Capacity Planning tool from http://www.microsoft.com/downloads/details.aspx?FamilyID=01b2f7a5-8165-4ead-9693-994504f66449&displaylang=en.
FIGURE 3-3
Thesoftwarerequirementsareabitmorediverseandneedtobecarefullyplanned.Table3-2showsthesoftwareneededandsupportedfortheEmailProtectionfeaturetoworkonForefrontTMG.
64 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
TABLE 3-2 SoftwarerequirementsfortheEnableEmailProtectionfeature
SOFTWARE VERSION SUPPORTABILITY SUPPORTED PLATFORM
ExchangeEdgeRole 2007RTM Notsupported NA
ExchangeEdgeRole SP2 Supported WindowsServer2008SP2*orR2
ExchangeEdgeRole 2010 Supported WindowsServer2008SP2orR2
ForefrontProtectionforExchangeServer
2010 Supported WindowsServer2008SP2orR2
ForefrontTMG MBE Notsupported NA
ForefrontTMG 2010 Supported WindowsServer2008SP2orR2
* The Exchange team changed the supportability statement on this in November 2009. For more information, see http://msexchangeteam.com/archive/2009/11/04/453026.aspx and http://msexchangeteam.com/archive /2009/11/30/453327.aspx.
ItisimportanttoemphasizethateachpieceofsoftwarethatislistedinTable3-2hasitsownprerequisiteslistthatyouwillneedinordertoinstallthatsoftware.Ifyoudon’thaveForefrontTMGinstalledyetandwanttobuildthecompletesolution,thestepsbelowarenecessarytoenabletheEmailProtectioncapability:
1. InstallActiveDirectoryLightweightDirectoryServices(ADLDS).
2. InstalltheExchangeServerEdgeTransportrole.
3. InstallForefrontProtectionforExchangeServer.
4. InstallForefrontTMG.
NOTE To install the Exchange 2010 software prerequisites, see the article “Exchange 2010 Prerequisites” at http://technet.microsoft.com/en-us/library/bb691354.aspx.
Installing and Configuring Email Protection
Forthepurposeofthisinstruction,thetopologyshowninFigure3-4willbeusedtoperformtheinstallationoftheExchangeEdgeroleandForefrontProtectionforExchangeServer.ThisscenarioassumesthatForefrontTMGisalreadyinstalled.
InstallingandConfiguringEmailProtection CHAPTER3 65
FIGURE 3-4
NOTE If you are installing Forefront TMG on a standalone server in a workgroup, it will be necessary to configure the DNS suffix for the server under the computer’s Properties, Advanced System Settings.
Installing Exchange 2010 Edge Transport RoleCompletethefollowingstepstoinstalltheExchangeEdgeTransportroleonanexistingForefrontTMGinstallation:
1. InserttheExchange2010DVDandrunthesetup.msi.TheWelcomepage,showninFigure3-5,appears.
66 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
FIGURE 3-5
2. Steps1and2aregrayedandnolongeravailable,becausethoseprerequisitesarealreadymet.ClickStep3:ChooseExchangeLanguageOption,andthenchooseInstallOnlyLanguagesFromTheDVD.
3. ClickStep4:InstallMicrosoftExchange,tostarttheExchange2010SetupWizard.OntheIntroductionpage,clickNexttocontinue.
4. OntheLicenseAgreementpage,readthelicenseterms,clickIAcceptTheTermsInTheLicenseAgreement,andthenclickNexttoproceed.
5. OntheErrorReportingpage,youcaneitherenableordisableErrorReporting.ClickYes(Recommended)toenableErrorReporting,andthenclickNexttocontinue.
6. OntheExchangeServer2010Setuppage,showninFigure3-6,selecttheInstallationType.ClickCustomExchangeServerInstallation,andthenclickNext.
InstallingandConfiguringEmailProtection CHAPTER3 67
FIGURE 3-6
7. OntheServerRoleSelectionpage,clickEdgeTransportRole,asshowninFigure3-7,andthenclickNext.
FIGURE 3-7
8. TheCustomerExperienceImprovementProgrampage,whichappearsnext,letsyouindicatewhetheryouwanttoparticipateinthisprogram.Makeaselection,andthenclickNext.
68 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
9. TheExchangeServer2010SetupWizardstartstheReadinessChecks,whichverifythatalltheprerequisiteshavebeenmetfortheselectedrole,inthiscase,EdgeTransport.Ifallprerequisitesareinplace,theReadinessCheckspageappearsasshowninFigure3-8.ClickInstalltoproceed.
FIGURE 3-8
10. Oncetheinstallationisfinished,theExchangeServer2010SetupWizarddisplaystheCompletionpage,showninFigure3-9.CleartheFinalizeThisInstallationUsingTheExchangeManagementConsolecheckbox,andthenclickFinish.
FIGURE 3-9
InstallingandConfiguringEmailProtection CHAPTER3 69
11. OntheWelcomepage,showninFigure3-5,clickStep5:GetCriticalUpdatesForMicrosoftExchange.
12. Afterinstallingtheupdates,clickClose.
Installing Forefront Protection for Exchange ServerThestepstoinstallForefrontProtectionforExchangeServeraredescribedinChapter2,“InstallingandConfiguringForefrontProtectionforExchangeServer.”TheonlydifferencehereisthatyouwilllaunchtheFPEinstallationdirectlyfromtheForefrontTMGsetupscreen.OnceyouinserttheForefrontTMGDVD,autorunlaunchesthesetup.ChooseInstallMicrosoftForefrontProtection2010ForExchangeServer,asshowninFigure3-10.
FIGURE 3-10
ThenfollowthestepsdetailedinChapter2.
NOTE Installing FPE from this window—that is, downloading from the Web site—is not required, although it is an option. You can install FPE directly from the installation CD.
70 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
Email Protection ConfigurationWhenconfiguringEmailProtectiononForefrontTMG,thefirststepaftertheinstallationofallprerequisitesistoconfigureSMTPRoutes.TheserouteswillberesponsibleforcreatingtheExchangeinboundandoutboundconnectors.Aftertheroutesareconfigured,youcanenablespamfilteringandvirusandcontentfiltering.
Email PolicyToconfiguretheEmailPolicy,youwillneed:
■ Thename/IPaddressoftheExchangeHubTransportServer.
■ ThenameoftheMXrecordthatwillbeusefortheSMTPserver.
Youwillalsoneedtodefine:
■ TheTMGnetworkinterfacethatwillcommunicatewiththisExchangeHubTransportServer.
■ TheTMGnetworkinterfacethatwillcommunicatewiththeInternet,aswellastheIPaddressthatwillbeusedtopublishtheSMTPtotheoutsideworld.
Whenyouhavethisinformation,youarereadytostarttheEmailPolicyconfiguration:
1. OpentheForefrontTMGManagementConsole,clickEmailPolicy,and,intheTaskspaneontherightsideoftheconsole,clickConfigureEmailPolicy.
2. OntheWelcomeToTheEmailPolicyWizardpage,clickNext.
3. TheInternalMailServerConfigurationstepallowsyoutodefinetwooptions:thein-ternalmailservertowhichTMGwillsendemails,andthedomainfromwhichTMGwillacceptmessages.
a. ClickAddbesideInternalMailServers,andaddtheComputerNameandIPAddressfortheExchange2007HubTransportServer;forthisscenario(shownearlierinFigure3-4),type10.20.20.11.
4. BesideAcceptedAuthoritativeDomains,clickAdd,andaddthenameofthedomainthatwillacceptmessages;forthisscenariotype*.contoso.com,asshowninFigure3-11.Ifyouhavemultipledomainswithinyourorganization,youcanenterthenamesofallofthosedomainsinthisbox.
a. ClickNexttoproceed.
InstallingandConfiguringEmailProtection CHAPTER3 71
FIGURE 3-11
5. OntheInternalEmailListenerConfigurationpage,youdefinethenetworkinterfacethatTMGwillusetocommunicatewiththeExchangeHubTransportServer.Forthisexample,selectInternal,asshowninFigure3-12,andthenclickNext.
FIGURE 3-12
6. OntheExternalEmailListenerConfigurationpage,selecttheinterfacethatwillcon-nectwiththeInternet;inthiscase,selectExternal.IfyouhavemultipleIPaddressesontheExternalinterface,youcanclickSelectAddressesandspecifyanindividualIPaddressthatwillbeusedtolistenonport25.IntheFDQNOrIPAddressbox,entertheFQDNthatwillappearastheresponsetoaHELOorEHLOSMTPcommand;inthiscase,typemail.contoso.com,asshowninFigure3-13.
72 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
FIGURE 3-13
7. OntheEmailPolicyConfigurationpage,leaveEnableSpamFilteringandEnableVirusAndContentFilteringenabled.(Theseoptionsarediscussedinmoredetailinthe“VirusandContentFiltering”sectionlaterinthischapter.)ClickNext,andthenclickFinishtoconcludethewizard.
8. AninformationalwindowappearsaskingifyouwanttoenabletheSystempolicytoallowtheSMTPtraffic.ClickYestocontinue.TheEmailPolicytab(Figure3-14)shouldnowshowthetwoSMTPRoutesthatwerecreated.
FIGURE 3-14
9. ClickApply,typeadescriptionofthischange,clickApply,andthenclickOK.
ForefrontTMGwillupdatetheExchangeEdgeTransportconfigurationandwillcreatereceiveandsendconnectorsbasedonthesettingsthatwereselectedintheEmailPolicy
InstallingandConfiguringEmailProtection CHAPTER3 73
Wizard.ForabettermanagementexperiencebetweenEdgeandHubTransport,enableEdgeSynctrafficbyfollowingthesesteps:
1. IntheTaskspaneontheright,selecttheEnableConnectivityForEdgeSyncTraffic option.Awindowappearsinformingyouthatsystempolicieswillbeenabledtoallowthiscommunication.TMGdoesthisautomaticallybyenablingsystempolicy47(AllowLDAP/LDAPStraffictothelocalhostfortheExchangeServerEdgeSyncsynchronizationprocess).ClickOKtocontinue.
2. IntheTaskspane,clickGenerateEdgeSubscriptionFiles,choosethelocationtowhichyouwillsavethisfile,andthenclickOK.
3. Whenthefileissuccessfullyexported,aninformationalwindowappearssayingthattheEdgeSubscriptionwascreatedinthelocationthatyouchose.ClickOKtocontinue.
4. Right-clickInternal_Mail_ServersintheEmailPolicypane,andthenclickProperties.
5. ClicktheListenertab,andthenclickAdvanced.
6. MakesuretoconfigureanauthenticationmethodthatmatchesthemethodusedbyExchangeHubTransport.ThemostcommonauthenticationmethodcombinesTrans-portSecurityLayer(TLS)andExchangeServerAuthentication,asshowninFigure3-15.
FIGURE 3-15
7. ClickOKtwice,clickApply,typeadescriptionofthischange,clickApply,andthenclickOK.
8. CopytheEdgesubscriptionfilecreatedinStep2totheExchangeHubTransportServer.Then,onthatserver,opentheExchangeManagementConsole,expandOrganizationConfiguration,andthenclickHubTransport.
9. OntheHubTransportactionspane,clickNewEdgeSubscription.NexttotheActiveDirectorySitebox,clickBrowse,andthenselectDefault-First-Site-Name.NexttotheSubscriptionFilebox,clickBrowse,andthenchoosethefilegeneratedbyForefrontTMG,asshowninFigure3-16.ClickNewtoconclude.
74 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
FIGURE 3-16
10. OntheCompletionpage,reviewtheresults,andthenclickFinish.
11. ClicktheSendConnectorstab,right-clickEdgeSync–InboundToDefault-First-Site-Name,andthenchooseProperties.
12. ClicktheNetworktab,andthenclickChange.
13. Makesurethattheauthenticationmethodselectedherematchesatleastoneauthen-ticationmethodthatwasselectedinStep6.ExchangeServerAuthenticationisselectedbydefault.ClickOKtwicetoconclude.
14. Toforcethesynchronization,opentheExchangeManagementShellprompt,typeStart-EdgeSynchronization,andclickEnter.
NOTE For more information on EdgeSync service on Exchange, read “Understanding the EdgeSync Synchronization Process,” at http://technet.microsoft.com/en-us/library/bb232180(EXCHG.80).aspx.
Spam FilteringTheSpamFilteringoptionsonForefrontTMG,asshowninFigure3-17,arethesamespamfilteringoptionsthatareavailableontheExchangeEdgerole,asshowninFigure3-18.
InstallingandConfiguringEmailProtection CHAPTER3 75
FIGURE 3-17
FIGURE 3-18
Theanti-spamoptionsthatareavailableontheEdgeroleandconfiguredbyTMGare:
■ Content Filtering Filtersemailsbasedonthesettingsthatyoudefineforthecon-tentinspection.
■ IP Allow List LetsyouspecifyoneormoreIPaddressesthatareconsideredtobetrustedandshouldalwaysbeallowedtosendemail.
■ IP Allow List Providers LetsyoumaintainalistofIPaddressesthatareknownnottobeassociatedwithanytypeofspamactivity.
■ IP Block List LetsyoutospecifyoneormoreIPaddressesthatshouldneverbeal-lowedtoestablishanSMTPconnectionwithTMG.
■ IP Block List Providers Letsyouspecifyprovidersthatareknowntosend(oraresuspectedofsending)spam.
■ Recipient Filtering Letsyouspecifyalistofemailaddressesoradistributionlistthatwouldliketoreceiveemailsfromoutsideyourorganization.
76 CHAPTER3 ProtectingyourMailSystemontheEdgewithForefrontTMGEmailProtection
■ Sender Filtering Letsyoublockasourceaddressfromsendingmessagestoyourorganization.
■ Sender ID Verifiesthesourceofamessagetodeterminewhethertheorganizationiswhatitclaimstobe.
■ Sender Reputation Reliesonpersistentdataaboutthesendertodeterminewhataction,ifany,totakewhenaninboundmessagearrives.
NOTE You can find more information about the Spam Filtering option in MicrosoftForefrontThreatManagementGateway(TMG)Administrator’sCompanion (Microsoft Press, 2010), Chapter 19, “Enhancing E-Mail Protection.”
Virus and Content FilteringTheVirusandContentFilteringoptionsinTMG,showninFigure3-19,arethesameastheoptionsthatweredescribedinChapter2,“InstallingandConfiguringForefrontProtectionforExchangeServer.”
FIGURE 3-19
NOTE Refer to Chapter 2, “Installing and Configuring Forefront Protection for Exchange Server,” for more information about the File Filtering, Virus Filtering, and Message Body Filtering options.
Administrator’sPunchList CHAPTER3 77
Administrator’s Punch List
Inthischapter,youlearnedaboutthewaytheEmailProtectionfeatureworks,andthewayForefrontTMGintegrateswiththeExchangeEdgeroleandwithForefrontProtec-tionforExchangeServertoimproveyouradministrativeexperience.WhendeployingEmailProtectiononForefrontTMG,keepthefollowingpointsinmind:
■ AlthoughthereisasinglepointofconfigurationforEmailProtection,itisimportantthatyouunderstandtheboundariesofeachproductinordertobetterconfiguretheprotectionandtroubleshootanyproblems.
■ Planningbeforedeploymentisalwaysthebestpracticetofollow.BesuretousetheForefrontTMGCapacityPlanningtooltocorrectlysizeyourEmailProtectionsolution.
■ KeepinmindthatyouwillneedalicenseforExchangeEdgeandalicenseforForefrontProtectionforExchange,inadditiontothelicenseforForefrontTMG,toenabletheEmailProtectionfeatureontheEdge.
■ IfyouaredeployingForefrontTMGorSP1,donotuseExchangePowerShellcmdletstomakechanges,sothatyouaresuretoavoidproblemsontheForefrontTMGManagedControlService.
■ TheinstallationprocessfortheExchangeEdgeTransportroleandForefrontProtectionforExchangeServeristhesameastheprocessspecifiedintheproductdocumentation.
■ ToallowabetterexperiencewhileadministeringExchangeHubTransportandExchangeEdge,besuretoenabletheEdgeSyncsubscription.