Installing and Configuring the Email Hygiene Solution on the TMG 2010 Firewall – Part 1: Installation

by [Published on 6 Jan. 2010 / Last Updated on 20 May 2013]

How to install and configure the email hygiene solution on the TMG 2010 firewall.

If you would like to read the other parts in this article series please go to:

Introduction

You might or might not know it, but the TMG firewall was designed to be a comprehensive edge email hygiene solution for your network. You can install the Exchange Edge server on the TMG firewall to get the email control features included with the Exchange Edge solution, and you can also install Microsoft Forefront Protection for Exchange on the TMG firewall. The combination of Exchange Edge and Forefront Protection for Exchange is a mighty one-two punch against spam, malware, and information leakage for your organization.

Way back in the early beta days of the TMG firewall, when it was little more than a glint in ISA Server’s eye, the Exchange and Forefront Protection features were built right into the installer. Things change over time – especially with beta software - and we find now that it is not quite as easy to get the email hygiene solution installed as it was when the product was in early beta. Not that it is really difficult, it’s just not as easy.

Some folks believe in being prepared, but others prefer to start installing software without thoroughly reading the documentation first. Sure, you could read the docs first and get things to work right away, but I guess it takes some of the adventure out of the installation experience. Many IT pros also believe that when you purchase a product, there should be a complete and intuitive installer included. After all, a professional and user friendly installer is one of the benefits that set Microsoft solutions apart from those that you get from some other vendors.

So, in defense of those who favor the RTFMLIAA (“read the freaking manual later, if at all) approach, let us get started and see if we can pick up where let off in the last article. In that article, we completed the installation of TMG Enterprise Edition on a Windows Server 2008 R2 server that had two NICs. Now our next objective is get the email protection features working.

My first thought was to run the TMG installer program again and see if that would work. As you can see in Figure 1 below, at the bottom under “Additional Options,” there is an option to Install Microsoft Forefront Protection 2010 for Exchange Server. That sounds like a good place to start, so let’s click that option (oh, and you can obviously ignore, for the purposes of our excellent adventure, those admonitions to read the deployment guide and release notes first).


Figure 1

The License Agreement page pops up next. You know what you have to do here if you do not want the process to grind to a permanent halt, so put a checkmark in the I agree to the terms of the license agreement and privacy statement checkbox and click Next.


Figure 2

Uh oh... Looks as if it may grind to a halt (at least temporarily anyway). On the System updates required page, we get the following message, as shown in Figure 3:

“No protectable server applications were detected. Client-only installation is not currently supported”

What does that mean? “No protectable server applications”? Hmmm. Maybe that means Exchange Server? I know that’s a “server application” and it’s related to what I want to do. I thought about going to that link provided in the information text, but since I have not really set up the firewall yet to allow Internet access, I would have to go to another machine to check that URL. I am going to go with my guess that Exchange Edge needs to be installed.


Figure 3

After I click Next, a dialog box tells me to Update your system so that it meets the installation prerequisites (Figure 4). OK, guys and/or girls who write these dialog boxes: how about just telling us that we need to install Exchange Edge Services, instead of dropping these cryptic hints?


Figure 4

I rummaged around for my Exchange 2010 installer DVD and finally found it in a huge pile of DVDs that I am going to get around to filing in alphabetical order – some day. Having never installed Exchange 2010 before, I wondered how much of a challenge this was going to be. The installer dialog box appeared and showed a number of options. It appears that the first option we need to address is the Step 3: Choose Exchange language option, shown in Figure 5. Clicking it expanded the option and asked if I wanted to install the languages on the disk, or install additional languages. Since I did not feel like hunting down more languages, I told it to install the languages that were already on the DVD.


Figure 5

Having made that selection, nothing happened. I am not sure whether I was supposed to see something happen or not, but it was uneventful, looks like the next step is to click Step 4: Install Microsoft Exchange, as shown in Figure 6, so I did that.


Figure 6

Okay! Something happened this time: the Exchange Server 2010 Setup Introduction page appeared, as shown in Figure 7. After reading the short bit of PR, and noting the steps ahead of me listed in the left pane (and heartened by the fact that none of them looked too complex), I clicked Next.


Figure 7

On the License Agreement page, shown in Figure 8, I selected the I accept the terms in the license agreement option and clicked Next.


Figure 8

On the Error Reporting page, shown in Figure 9, we’re asked if we want to make the product better by reporting application errors to Microsoft. That sounds like a good idea, since a better product will make my life easier. Let’s go ahead and select the Yes (Recommended) option and click Next.


Figure 9

On the Installation Type page, shown in Figure 10, we are presented with two options:

  • Typical Exchange Server Installation – this option installs multiple Exchange Server roles on the same machine. These roles include Hub Transport, Client access, Mailbox and the Exchange Management Tools. This is the most popular option, but it is not the best one for our purposes this time.
  • Custom Exchange Server Installation – this option allows you to select which Exchange Server roles you want installed on the machine. Since we only want the Exchange Edge server role installed on the TMG firewall, we’ll select this option.

Select the Custom Exchange Server Installation option and click Next.


Figure 10

On the Server Role Selection page, shown in Figure 11, put a checkmark in the Edge Transport Role checkbox. So far, this has been remarkably easy. Let’s hope it continues this way. Click Next.


Figure 11

On the Customer Experience Improvement Program page, shown in Figure 12, we are asked if we want to participate in the Customer Experience Improvement Program. Who would not want an improved customer experience? That is a no-brainer. I go ahead and select the Join the Exchange Customer Experience Improvement Program (CEIP) option. Note that if for some reason in the future you do not want to belong to this program any more, you can always leave the CEIP program.


Figure 12

On the Readiness Checks page, shown in Figure 13, there’s not much for you to do, except watch as the installer checks the machine to make sure it is ready for installation of the Exchange Edge role. No decisions to make here.


Figure 13

After your system passes the checks, the Install button will cease to be grayed out, as shown in Figure 14, and you can click it to start the installation.


Figure 14

Next comes the “Progress” report, shown in Figure 15, which shows the list of steps that will be performed as Exchange is installed. Looks like there’s a lot to do for the installation, but although this appears to be a long list, it only took a few minutes for my installation to complete.


Figure 15

You might be wondering exactly how long it took to install. Just 4 minutes and 34 seconds. Of course, your mileage may vary, depending on your system hardware and the components you chose to install. In this case, installation was successful and now there is a checkmark in the Finalize this installation using the Exchange Management Console checkbox, shown in Figure 16. I was not sure what to do about this; from what I understood, the entire configuration and management of the Exchange Edge server role is supposed to be done from the TMG firewall console. However, having already committed to being the adventuresome sort for the duration of this installation, I decided to leave the checkmark in the checkbox and see what the console looks like.


Figure 16

There it is, in Figure 17: the Exchange 2010 Management Console. It looks interesting (and probably is even more interesting to Exchange administrators). However, I am a TMG firewall admin and I do not want to muck around too much here if I do not have to. Therefore, I am going to close the Exchange Management Console and go back to the TMG installer.


Figure 17

After closing the console, I noticed that the Exchange installer was still running so I took a look at the options again and noticed that Step 5: Get critical updates for Microsoft Exchange was still available (as you can see in Figure 18). It seems like a very good idea to get critical updates, so let us click that option.


Figure 18

Oops. The ugly red error message shown in Figure 19 popped up, telling me that Windows could not search for new updates. There could be a number of reasons for this failure. The most likely reason in this case is that the firewall has not been set up for outbound access yet, and that includes support for outbound access from the firewall itself. No big deal; we will take care of that later. Right now we just want to get the email hygiene components installed, so we will continue without installing those updates (but do not forget to do it later).


Figure 19

Now we are back to the TMG installer. Click the Install Microsoft Forefront Protection 2010 for Exchange Server link that’s shown in Figure 20.


Figure 20

On the License Agreement page,shown in Figure 21, put a checkmark in the I agree to the terms of the license agreement and privacy statement checkbox and click Next.  At this point, you might be feeling an odd sense of déjà vu. Have we not been here before?


Figure 21

Next comes the Service Restart page, shown in Figure 22. Notice that the installer will need to stop and restart the Microsoft Exchange Transport service. No problem with that, since we are not using it yet. Click Next.


Figure 22

On the Installation Folders page, shown in Figure 23, you can select the location for both the Program folder and Data folder. The Data folder holds things like quarantined files and archived files. Best practices likely states that you put the data files on a separate partition or physical disk, but I am not aware of any hard and fast guidance on this issue at this time. For now, I am going to go with the defaults and click Next.


Figure 23

The antispam engine for Forefront Protection for Exchange downloads definitions updates independently from other engines and definition updates that are used by the TMG firewall. These updates take the place of an HTTPS transport, so if you have a proxy server in front of the TMG firewall, you might want to enter the proxy information in the dialog box shown in Figure 24. In this example, we don’t have a proxy server in front of the firewall, so we will click Next.


Figure 24

On the Antispam Configuration page shown in Figure 25, you can choose to turn on the antispam feature now or wait and turn it on later. This is a little misleading, since if we tell the installer to turn it on now, it’s not automatically enabled in the TMG firewall console, as we will see later in this article. However, I suspect that if we do not turn it on now via this dialog box, we will have to turn it on later from another location – which means that we will have to find that option! Let’s be safe rather than sorry and turn it on now. Click Next.

Note:
Just FYI, the FPE antispam feature works in concert with the Exchange Edge antispam features – and specifically takes advantage of Cloudmarkantispam technology.


Figure 25

Just in case we did not make the right decision the first time, we now get another chance to participate in a Customer Experience Improvement Program. Put a checkmark in the Join the Customer Experience Improvement Program checkbox shown in Figure 26 and click Next.


Figure 26

Confirm your selections on the Confirm Settings page. You might want to scroll through this information because some of it is interesting – and some of it is a little confusing. For example, if you check Figure 27 below, you’ll see some detailed instructions on getting engine updates working immediately. This is a bit confusing because it’s not clear whether these instructions are for FPE-only customers, or for TMG+FPE customers. At this point, I think we’re safe to wait for the installation to complete and then go into the TMG firewall console and see if there are any hints there as to what we should do next.

Click Next.


Figure 27

The dialog box shown in Figure 28 appears while FPE installs on the TMG firewall.


Figure 28

On the Installation results page shown in Figure 29, we can see that the installation was successful. There is an option here to Launch the Forefront Online Protection for Exchange Gateway installation program. This is an interesting option because it relates to the FOPE product. In case you haven’t heard of FOPE, it’s a cloud based anti-malware, anti-spam and email policy compliance solution. Tom’s worked with it quite a bit and has told me great things about it. What is not clear here is why we would want to use FOPE together with the TMG based email hygiene solution, since it seems they would essentially duplicate each other’s efforts. While FOPE is very good, we have already invested in the TMG firewall and so we’re not really interested in paying more for duplication of services – but I’ll be looking into this more closely and will report back to you when I find out what scenarios would benefit from such a combination.

Meanwhile, Click Finish.


Figure 29

Now let’s see the results of our efforts. Open the TMG Firewall console and click on the E-Mail Policy node in the left pane of the console, as shown in Figure 30. In the middle pane, click on the E-Mail Policy tab. Here you can see a note suggesting to enable protection from e-mail based threats; click Configure E-mail Policy. What this tells me is that despite clicking “Finish,” we are really not quite finished yet. Installation is complete, but we still have some configuration tasks ahead of us. Let’s forge ahead.


Figure 30

Click the Spam Filtering tab in the middle pane to invoke the dialog box shown in Figure 31. Here we see a number of spam filtering options, many of which look like they are directly related to what Exchange Edge brings to the table. Very nice! However, it also appears that the spam filtering settings are Disabled at this time. Do not worry; we will enable them – in the next article.


Figure 31

Meanwhile, on the Virus and Content Filtering tab in the middle pane of the console, shown in Figure 32, you’ll see a number of options that are related to the FPE component of the email hygiene solution. Note that at this time that both Content Filtering and Virus Filtering are Disabled. We’ll have to fix that next time, too.


Figure 32

Summary

In this article, Part 1 of our two part series on installing and configuring the TMG firewall’s email hygiene solution, we installed Exchange Edge Server on the TMG firewall. After installing the Edge Server role on the firewall, we used the TMG installer to get FPE installed. The installation was successful and did not take very long to complete. However, we still have some configuration tasks in front of us before we can actually use the solution. In part 2, we will configure the settings in the TMG management console and then test inbound and outbound mail access to make sure it really works. See you then! –Deb.

If you would like to read the other parts in this article series please go to:

Featured Links