Forefront TMG 2010: Allowing Exchange and Outlook Web Access

As the seventh installment in the Installing Exchange: 2010 series, the Forefront TMG is now ready to relay connections to the Exchange Server! Remember how this is the Edge Transport server? That’s important, let’s take a look.

It’s important that the Forefront TMG be able to securely communicate with the Exchange Outlook Web App and remote mail protocols, so we have some work to do in creating certificates and keys. To do all this, use the following procedure:

  1. Open Forefront TMG
  2. In the Forefront TMG window, right-click Firewall Policy and select New>Mail Server Publishing Rule
  3. In the New Mail Server Publishing Rule Wizard window, name the rule SMTP Clients and click Next
  4. Click Next
  5. Check all the checkboxes and click Next

  6. On the Select Server page, enter the IP of the hub’s NIC and click Next
  7. On the Network Listener IP Addresses page, check the boxes for External, Internal, and Local Host and click Next
  8. Click Finish
  9. Right-click Firewall Policy on the left and select New>Mail Server Publishing Rule from the context menu
  10. In the New Mail Server Publishing Rule Wizard window, name the rule SMTP Server and click Next
  11. Select the Server-to-server communication: SMTP, NNTP radio button and click Next
  12. On the Select Services page, check the SMTP and Secure SMTP checkboxes and click Next

  13. Click Yes in the window that pops up
  14. Enter the IP address of the Hub and click Next
  15. Check the boxes for External, Internal, and Local Host and click Next
  16. Click Finish
  17. Right-click the SMTP Server SMTP Server and click Properties in the context menu
  18. Select the Traffic tab and click Properties

  19. Select the Parameters tab and uncheck the SMTP Filter application filter, then click OK

  20. Click OK
  21. Repeat the same process for the SMTPS Server entry
  22. Select the Allow Ping, Allow DNS, and Allow LDAP rules and on the far right, click Move Selected Rules Up until the rules are at the top
  23. Selecting those three rules one at a time, use Move Selected Rules Up/Down to order the rules as shown below:
  24. In the left-hand pane, select E-Mail policy and click Configure E-Mail Policy in the middle pane
  25. In the E-Mail Policy Wizard window click Next
  26. On the Internal Mail Server Configuration page click Add…

  27. In the Computer window, enter a name for the Hub and enter the Hub’s IP address and click OK

  28. Click the second Add button and enter the internal domain name then click OK

  29. Repeat the same process for the external domain
  30. On the Internal E-Mail Listener Configuration page, check the checkboxes for External, Internal, and Local Host and click Next

  31. In the External E-Mail Listener Configuration page, check the External, Internal, and Local Host checkboxes, enter the Edge’s FQDN using the external domain, then click Next

  32. On the E-Mail Policy Configuration page, uncheck Enable spam filtering and Enable virus and content filtering, then check Enable connectivity for EdgeSync traffic and click Next

  33. Click Finish and click Yes
  34. In the Forefront TMG window, click Apply, then click Apply and OK

  35. In the right-hand pane, click Generate Edge Subscription Files

  36. Click Apply, Apply, and then OK
  37. Navigate to C:\ in Windows Explorer and select the new Edge Subscription xml file, then press Ctrl+C to copy the file
  38. Navigate to \\<hub’s ip>\c$
  39. Right-click in the empty space in the right-hand pane and click Paste from the context menu
  40. On the hub open the Exchange Management Console
  41. In the Exchange Management Console navigate to Microsoft Exchange>Microsoft Exchange On-Premises>Organization Configuration>Hub Transport and select the Edge Subscriptions tab
  42. If there are any existing entries, right-click and delete them
  43. In the pane on the far right, click New Edge Subscription

  44. In the New Edge Subscription window, click Browse…, and in the Select Active Directory Site select the first and only entry then click OK

  45. Click the second Browse… button and navigate to where the Edge subscription file was pasted C:\. Select it then click Open

  46. Click New then Finish

My blog is self-hosted on a VPS running Ubuntu nested in Digital Ocean’s VPS service. If you want to get a VPS from Digital Ocean, I’d like to ask you to graciously use this referral link: https://m.do.co/c/fa082b6466bf. You’ll get $10 in free credit and once you’ve spent $25 of your own money, I’ll receive $25 myself, meaning that you’ll be indirectly supporting my blog.

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.