In our earlier posts (part one, part two) we performed a simple Exchange server setup for a ‘single-server’ install. We have our addressing policy setup, and can send email out to the world. Now, it’s time to get email IN to our system. Since we use TMG at our perimeter, we’re going to leverage the combined power of TMG and the Exchange 2010 Edge Transport role. Here’s a quick pic of what we’re going to have when we’re done.
We have our existing TMG2010 server running Windows 2008R2, and our Exchange 2010 server running Windows2008R2. We’ve already installed Exchange 2010 on Demeter, with the Client Access Server, and Mailbox Server roles. We have a mailbox database, mailboxes, and can send outgoing mail just fine. Now, we want incoming mail, and that will have to go through our TMG server.
We do have some pre-work to do, and if you opted for 2008 instead of R2, there will be a little more work to do, but overall, this is pretty straight-forward process, and much quicker than our ‘single-server’ install. Ready to begin?
DNS records
If we want external domains to send us mail, and to minimise the problems we’ll have sending mail out to external domains, we need to get our DNS work out of the way first. Depending upon the TTLs set, we may finish the rest of this before DNS is done, so we want to do this first. We need to log onto our DNS server (or hosted portal) and setup our records for our domain. This means we need to
- Created an A record for our host, Demeter, using our external ip.addr.
- Created an MX record with a weight of 10, and pointed it to our Demeter.
- Updated our SPF record to include Demeter as a valid sender by ip.addr. See this post for more on that.
- Update our PTR record if we have access to it.
- After you’ve allowed time for DNS changes to propagate, use a looking glass or dig to make sure your A, MX, SPF, and PTR (optional) records are all set.
Yes, I left the googlemail servers in place, since I originally setup retrohack.com on Google Apps. If I lose Internet connectivity at the house, I want to still receive mail, so those servers will accept mail that I can fetch later.
PowerShell
We’re running our TMG 2010 server on Windows 2008 R2, which means we already have PowerShell 2.0. That’s good, because Exchange 2010 requires it. If you are using the original version of 2008, and added PowerShell through Server Manager, you’ll need to remove it. Here’s how.
- Click Start, Run, and type CompMgmtLauncher. Click OK.
- In the Server Manager tree, expand Features, and in the Features Summary, click Remove Features.
- In the Remove Features Wizard, scroll to Windows Powershell, and then clear the check box.Click Next, and then click Remove.
- When the process has completed, restart the computer
When you start the install of Exchange 2010, the prerequisites page will direct you to install PowerShell 2.0.
AD LDS, or the service formerly known as ADAM
Since we’re dealing with a role that is intended to live in the DMZ, and not have any connectivity to Active Directory, we’re going to need to run Active Directory Lightweight Directory Services on our TMG server, so that the Exchange 2010 Edge Transport Role has a place to store its configuration. I know, that seems awfully silly to me to, seeing as how a flat config file, registry hive, or even an XML file would do just fine. But they paid a lot of money to develop ADAM/AD LDS, so by gods somebody is going to use it! To install Active Directory Lightweight Directory Services. If you have already installed TMG 2010 you already have AD LDS running, and are good to go. If you’re not to the install of TMG yet, here’s a quick way to get AD LDS on board.
- From an elevated command prompt, type
cmd.exe /c start /w pkgmgr.exe /iu:"DirectoryServices-ADAM".
Installing TMG 2010
As we’re dealing with adding Exchange 2010 to a setup that already has TMG 2010 in place, we won’t cover that install in this post. If you need to, you can see this two part post on installing TMG 2010 by clicking part one, and part two. Come back here when you’re done, and we’ll continue. It’s okay, we’ll wait. You go right ahead.
Installing the Exchange Server Edge Transport role
Before installing the Exchange Server Edge Transport role, you must verify that the computer is configured with a DNS suffix. Use the following procedure:
- To add a DNS suffix to a Forefront TMG computer
- On the Desktop, right-click Computer, and select Properties.
- Click Advanced system settings, and then click the Computer Name tab.
- Click Change, and then click More.
- In the Primary DNS suffix of this computer box, if an FQDN is not configured, type one, and click OK.
To install the Exchange Server Edge Transport role,
- Run the Exchange Server Setup.exe file, and follow the steps in the Exchange Server Setup Wizard, including the installation of all the prerequisites.
- On the Installation Type page, click Custom Exchange Server Installation.
- On the Server Role Selection page, select Edge Transport Role, and click Next.
- On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully.
- Then, click Install to install Exchange.
- Go get coffee…mmm, coffee…
- On the Completion page, click Finish.
- When the EMC launches, select the Edge Transport Role, and select "Enter Product Key…" from the Actions pane.
- On the Edge Transport server, open an Administrative Exchange Management shell, and run the following command.
New-EdgeSubscription -FileName "C:\EdgeSubscriptionInfo.xml" - Copy the resulting XML file to a Hub Transport server in the Active Directory site to which you want to subscribe the Edge Transport server.
- On the Hub Transport server, open an Administrative Exchange Management shell, and run the following command.
New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\EdgeSubscriptionInfo.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name" -CreateInternetSendConnector $true -CreateInboundSendConnector $true
note to readers: if your site is NOT named Default-First-Site-Name, change that as necessary in the above command!
note to Microsoft: if you were trying to make this as difficult as Unix cmd-line administration, you succeeded. Seriously, you really expect someone to remember this sequence? You’re own page on TechNet where I got this from has typos!!! On the Hub Transport server, run the following command.
Start-EdgeSynchronizationLaunch the TMG Management Console.
- Come down to E-Mail Policy and click Configure E-Mail Policy to launch the wizard.
- Click Next on the welcome screen, then add the internal mail server and accepted authoritative domain(s) as necessary, and then click Next.
- Configure your internal listener. Unless you are multi-homed on the internal network, you can probably just click Internal and then click Next.
- Configure your external listener ip.addr, and the FQDN your TMG server will use in response to HELO/EHLO messages.
- Enable as desired. You definitely want to enable connectivity for EdgeSync since that is how we’re rolling.
- And of course, it’s going to make sure you understand that you’re opening stuff up. Click Yes, unless of course, you don’t really want email to work.
- Hit apply, enter your configuration chance description, and go for the win!
- Then, go to http://www.mailradar.com/openrelay/ and test your server to make darn sure that you are not relaying at all! Do not skip this step, as it’s the best way to make sure you didn’t make a misconfiguration that leaves your server as an open relay. Failure to do this can result in your ISP to blocking you, Santa placing you on his naughty list for life, and shrinkage. Don’t be that guy.
If all was done per the specs above, you should be ready to rock and roll! If not, start troubleshooting from the outside in. Use your Gmail account to send email, and run WireShark on your TMG server to make sure traffic is getting past your ISP. If it’s not, start by making sure your DNS records are correct, and have propagated, then make sure you can get traffic past your ISP (not all will allow SMTP in by default, it at all.) If email is getting to your TMG/Edge server but not past it, use the Queue Viewer Tool (Exchange Management Console, Tools, Queue Viewer) and check for error codes. Exchange authentication needs to use internal FQDNs or NetBIOS names. See this post for the most common error there.
Now that you’ve got email working, take a break and loosen up gray matter with this little nugget from the tubes…YouTube that is. StrongBad rules, and with TMG, we fear no virus!
direct link for RSS and email subscribers…http://www.youtube.com/watch?v=6oiGj2ZiDxQ
You might also enjoy:
{ 69 comments… read them below or add one }
Ed,
Found your site via Splunk blog. This series of Exchange posts are amazing. Prescriptive and descriptive! As a former admin and current consumer of EXCH, it is my wish that M$ would provide documentation as clear or clearer than your posts.
Yours,
Dr. Steve Brule
What a very nice thing to say. Thank you so much! I’m glad you enjoyed them. There’s three more scheduled (two t/s and one on publishing OWA) and I expect to do at least more more on publishing CAS services through TMG. Hope they are as well-received, and that folks find them useful.-ed
Perfect Thanks
You’re welcome!
Thanks for dropping by and leaving a comment.
Nice article..
I have implemented a server with 2010 Edge, Forefront for Exchange 2010 and TMG 2010. Shortly after installation I have been having problems with something marking all the Exchange services as disabled which of course stops mail flow.
any ideas? Did I miss something in the setup?
John
Hi John,
Did you recently apply any patches or updates? Is there any third-party (or MSFT) antivirus/antimalware installed? Finally, is your server virtual, and if so, is the disk set to disregard changes on shutdown? Is your disk almost full? My best bet is that a patch was applied that went bork. After making sure that any virtual disks (if this server is virtual) are set to persistent, and disabling any third party a/v or ips, I would…
1) set all the affected services to automatic
2) start each one
3) monitor the event logs for any errors
4) hit Windows Update (not your internal WSUS) and check for any required patches. Install any that you are missing. If any fail with an error code, chase that down.
5) reboot after patching whether or not required.
6) check services and if they are disabled again, look to the event logs.
Let me know how you make out. I have seen overly aggressive policies (ForeFront Client Security, Cisco Security Agent, GPO setting SMTP and POP services to disabled on all servers) configured to detect service changes and roll them back. Make sure that you are not getting wacked by another admin’s overly aggressive policies.
Ed
Hello, I really like your blog. Congratulations.
One question: The computer where you installed TMG and EDGE is a member of the Active Directory domain?
Thanks for the very kind words Shance.
Yes, the TMG server is a domain member. I do not recommend the approach of making the TMG a bastion host, and since it was already built and a domain member by the time I was ready to deploy Exchange, that means the Edge Transport Role server is a domain member. This is not, strictly speaking, an MSFT recommended approach, but it works VERY well for me, and I have a great deal of trust in the security of TMG.
I recently wrote an article for TheEmailAdmin.com blog showing six different ways you can fulfill the Edge Transport role. If you are curious, you can read that at http://www.theemailadmin.com/2010/11/options-for-connecting-exchange/. It’s always good to have options.
Best regards,
Ed
I read your steps to configure the “Microsoft Edge Transport” on “Forefront TMG”, now I’m facing the installation of “Protection Forefront for Exchange Server 2010.”
My firewall, however, is not a member of the domain. If you can help, the procedures that you started from the shell can be made by the Wizard, it’s easier.
Thanks for the link, I’m going to read now!
Ciao!
I have successfully installed all three products (Forefront TMG, Exchange Edge Transport Role Protection for Exchange and Forefront Server 2010) on the same server out of Active Directory. The mail traffic works.
I am having trouble publishing through Forefront TMG ActiveSync and OWA using a public wildcard certificate *. domain.com.
You experiment in publishing OWA and ActiveSync?
Congratulazioni Shance!
See this post for OWA. http://retrohack.com/how-to-publish-owa-through-tmg/
Note, the OWA one is also not quite the way MSFT would recommend doing things, but it works for me, works well for me, and makes it easy on my users.
For ActiveSync see this one. http://retrohack.com/enable-activesync-outlook-anywhere-exchange-2010/
Make sure you do OWA first, as the ActiveSync one is based on settings done for OWA.
Buona fortuna,
Ed
Dear Ed,
First of all, I would like to thank you for this article. It helped me a lot.
I have installed TMG 2010 on Edge transport in a workgroup environment (not a domain member). First I installed Edge & check my inbound & outbound mail flow. It worked perfectly fine. Then I installed TMG on it & configured Email policy. But then in TMg console under monitoring section, it says either Email configuration policy could not be applied as either Edge Transport or Forefront Protection for Exchange is not installed. So my question is, how did you get TMG & its features for Email content filter work without FPE?
Just FYI, I also installed FPE then but then TMG managed control serivce crashed & cannot start. So next question is what is the correct order for all the three products towork properly? please correct me if I am wrong & my approach is
1. Windows 2008 R2 Ent x64
2. AD LDS
3. Edge Transport Role
4. FPE
5. TMG 2010
I did install as per the above order but still Email Policy cannot be applied but I can send & receive emails without any issues.
I would really appreciate your answers
Regards,
Harshal
Harshal, hate to tell you this, but TMG has to go on the machine before Exchange Edge. Follow the steps in the sequence in the article and you should be in good shape.
Hi Harshal
Jeff must either stay up later, or get up earlier, because he beat me to it. He’s quite correct.
Server and all SPs and patches
Then TMG
Then Exchange Edge Transport role
Then FPE
Ed
I have successfully installed all three products (Forefront TMG, Exchange Edge Transport Role Protection for Exchange and Forefront Server 2010) on the same server as a domain member. The mail traffic works.
But, if I telnet myserever.mydomain.com 25, MAIL FROM command accepts any sender email address and can send to any mailbox in my domain.
1-How can I stop this?
2-Is is possible to stop telneting on port 25? if so, how?
Keep writing,,,,,
Hi,
can you please also describe if there is Edge transport server and TMG 2010 on two different hardware. OWA will publish on TMG and both servers are in DMZ. how the mail flow will occur?
Thanks
Hi Annei,
Mail will flow in and out through your Edge Transport server. TMG will only handle publishing your CAS role, which is fine.
Let me know if you have any other questions.
Ed
This is a great article. Quick question, where you denote “if your site is not called “Default-first-site-name” then replace with my site name…..What does that mean exactly. Sorry, I’m a little new to exchange 2010, so I’m not sure how to make sure I put in the right site name. Where do I find that?
Thanks.
Hi Rob,
Glad you liked it. The “Default-first-site-name” is the name Active Directory gives to the first AD site, which you can see in the administrative tool “Active Directory Sites and Services.” So if your AD admin renamed that to match the name of the datacenter, city, or something else that is more in line with your reality, you will want to use that same name (spelling counts) when you set things up.
HTH
Ed
I got everything working. This is awesome I’ve been struggling with this for two weeks. I agree with your Microsoft comment. What a pain.
One question, though, do I need to do the New-EdgeSubscription command for every site in my Sites and Services, or just the first one?
Thanks.
Hi Ed,
Above you are saying the role will be in DMZ & will have no connectivity to Active Directory, you will have to install AD LSD. But in the below comment, you are saying that this TMG & Edge server are domain member.
Can you please explain?
Regards,
Harshal
Read it again.
My phrasing is a bit odd even for native English speakers, and I’m sorry I was not more clear. The Edge Transport role is, by design, not supposed to be a member of AD, and to live in the DMZ. However, our TMG server in this case is a member of AD and has a NIC in the internal network. Regardless, the Edge Transport role requires AD LDS to store its config.
Hope this makes more sense to you, but if not, let me know by replying to this comment.
Cheers,
Ed
I am configuring a single NIC TMG 2010. TMG is in DMZ. When I configure OWA TMG cannot resolve CAS server either by IP or name. Therefore traffic hits TMG but OWA doesn’t response. Test rule also fail on TMG for OWA settings.
What ports I should allow back and forth? currently I have opend HTTP/ HTTPS to CAS TMG
Many thanks
Sam
Hi Sam,
That’s going to be a tricky setup for you, and I need to make some assumptions to answer your question, namely that TMG is not a domain member, and you do have a packet filtering firewall between TMG and all internal resources.
1) TMG must be able to query internal DNS, so make sure UDP 53 is open for it through to the DNS servers you point it to. Do NOT use a HOSTS file or hard code the ip.addr into any rule. That always comes back to bite you in the end.
2) TMG must be able to resolve the name of your CAS server/array, and connect to it on TCP 443.
3) Make sure you are using the built-in rule to publish OWA, and that you set it up to listen for the external DNS name you want users to use. See this post for how to publish OWA through TMG, which is more appropriate to your question than this post.
HTH
Ed
Sam
You will need to create a host file entry on the TMG server in order to resolve the internal name of your CAS server or Array.
Additionally a single leg TMG server can only be used for web proxy rules, You cannot use it for other types of access such as Outlook Anywhere.
The most authoritative document on TMG/UAG publishing has now been published by the Exchange product group.
see this link:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=8946
John
Approved, because John’s right twice, that’s a great doc, and this single leg server will do OWA and other web proxy work, but not more advanced stuff like Outlook Anywhere or content inspection. I stand by my assertion NOT to use a HOSTS file. Sure, it will work, but six months from now when you change the ip.addr of the CAS server, no one will remember that there is a HOSTS file on the TMG until AFTER stuff breaks in a most craptastic fashion. If you absolutely insist on using a HOSTS file, see this post on BGINFO which can help you remember that fact. Make sure you click the screenshot.
Thanks John!
Ed
Ed
The reason I support the host file entry as a solution (and I do agree that it is vulnerable to change) is that few customers I have worked with are going to permit inbound DNS queries from the DMZ into the internal network as matter of principal. Therefore you are forced to use the host file solution.
John
Good answer, and a proper workaround for a bad situation.
Thanks for the info John,
Ed
Thanks, Host file and internal DNS entry already exists. UDP port 53 allowing on TMG and Firewall. I can telnet 53 to internal DNS server from TMG. Port 443 open to CAS from TMG at TMG and Firewall. I can telnet it. Whenever try to resolve computer name in the OWA wizard, I browse computer name of CAS then ask for domain credentials. it’s still failing “An object with the flowing name cannot be found…”. I use domain\admin, Is there any GP has to modified? I have created an account in the Domain and same on TMG as an admin. but neither accounts doesn’t resolve.
Okay,
1) what kind of firewall are you using? Telnet to 53 on the DNS server implies you can connect, but queries use UDP. Can you use nslookup, specify the internal DNS server, and get a response? If you cannot, then either the firewall isn’t permitting UDP 53 in from the TMG to the internal DNS servers, or it is not permitting anything at all and you are getting a response from some proxy function on the firewall. This isn’t a Checkpoint is it?
2) what do you mean by “browse computer name of CAS then ask for domain credentials?” If only 443 is open to the CAS then the only thing you could browse would be using RPC over HTTPS.
3) Is your TMG server a member of the domain? I get that impression from your comment “created an account in the Domain and same on TMG as an admin” but you don’t mention having any of the ports open that the TMG server will need to be a participating member of the domain.
If you want your TMG server to be a domain member (which I totally support) you ought to add a second NIC and connect that into the internal network. Then you would be deploying your TMG as the back firewall and be able to use the IPS/IDS capabilities and other functions, not just basic web proxy, like this.
Internet–firewall–DMZ NIC of TMG–TMGserver–Internet NIC of TMG
Does that make sense?
Thanks, I already redeployed with two NIC back firewall scenario where enable me to use full functions. Let’s see how it goes. Firewall is similar to Checkpoint but It’s calls Cyberoan CR1500. TMG is out of domain.
Great, keep us posted.
Now I can reach OWA page on TMG from outside but cannot login. There is something wrong in between TMG and CAS. OWA internally is working fine.
Are you seeing the OWA banner page, or the TMG banner page?
1. First try to hit and log on to the OWA site FROM the TMG server. If you cannot log on successfully using a browser on the TMG, fix that. If you can, then check your auth settings.
2. Then see how you have your authentication set up. Are you doing form-based on the TMG, or “no authentication but clients can authenticate directly” or something else? If TMG is doing the auth, and is not a domain member, you will need to get auth working properly, probably by defining LDAP for the domain.
HTH
Ed
Yes, OWA banner page on TMG. I can log on successfully using Internal URL. When I try using external URL, Log shows:
Denied Connection
SVR–EDGE
Log type: Web Proxy (Reverse)
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).
Rule: Default rule
…………….
Destination: Local Host (external IP TMG:443)
Request: GET http://………./InTouch/common/images/product/164928/thumbnail/164928_THUMBNAIL___20110803.jpg
Filter information: Req ID: 0b147e37; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
I am using a SSL cert which does not match with URL. Will this be an issue to cause above error?
Thanks
Well I am not sure what the problem is here.
Regardless of anything else, using an SSL cert when the CN or SAN don’t match the URL is going to be an issue. You do not want to train users to disregard certificate warning dialogues. That having been said…
My best guess about the above is that the jpg being requested by the client is in a directory that is not reachable, or that the anonymous user doesn’t have permissions to access. It might be that the path is not published, or the public name is not on the list since it is a 12202. Are you using a custom banner page with a company logo? Have you used that successfully with any other web site yet?
If I were you, I would simplify the setup by letting the clients auth directly to OWA first to see if that is working. Then step back to using the default FBA on the TMG, then when that is working, start troubleshooting the custom FBA.
Good luck,
Ed
Hi Ed, I have created a certificate which exactly match with URL that I am using for OWA. As soon as I installed SSL cert on CAS and TMG everything is working fine. Also SSL cert been installed on every DCs. I am going to try Outlook anywhere…
Thanks
Excellent, good luck!
Mailbox moved from Exc2003 to E14. Since then Outlook keep disconnecting. Adding RPC value DefConnectOpts=0 on PC and Enable RPC for Outlook on Domain/GP, creating MaxObjsMapiSession/timeout value>500 on Mailbox servers still doesn’t help. So couldn’t move users mailboxes yet. Any help on this please?
Can I use the same SSL cert for OA? If OWA= owa.company.com what’s the default OA URL? Can I use outlook.company.com or it is autodiscovry.company.com?
SSL is not wildcard. If i use another SSL for OA how can I assign on CAS server as I overwrite on previous SSL. Do I have to install on separate virtual folders on CAS IIS?
Thanks
Is the Ex2010 server in a different datacenter, or is there a different firewall between it and the user? See http://support.microsoft.com/kb/831051 for a good tool to further troubleshoot RPC issues.
As to the cert…first, you should either use a wildcard, or make sure you created it with all the necessary SANs. See http://www.theemailadmin.com/2010/10/the-exchange-certificate-wizard-pki-made-easy/ for how to go about doing that.
Good luck,
Ed
Great article, many thanks! But there is a step missing. Sometime before you get to Step 12, you need to create an Access Rule on TMG that allows “LDAPS (EdgeSync)” protocol from the Hub Transport server to Localhost. Until that’s done, the Start-EdgeSynchronization command will fail.
Good point Jeff. Not needed in my setup as the TMG is domain joined and the access rule to permit all internal was already there, but wrong of me to assume everyone would follow my build exactly. Thanks for the comment!
My reply to your e-mail bounced, so I’ll reply here instead:
My TMG is also domain-joined; I’m with Tom Shinder on that, for sure.
I hope you’re not offended by my well-intentioned but completely unsolicited advice: I’m also with Shinder that best practice is NOT to open all between Internal and Localhost, in order to protect the TMG from exploits from the inside. Most of what needs to be opened occurs granularly, within System Policy. And at that, much of System Policy won’t be applicable to most installations and should be disabled.
Now, my situation is aggravated by my “Internal” network being 3rd-party tenants of my app-hosting service. Customers, not employees. But I’ve also never configured a corporate TMG with all open to and/or from the Internal network. The only time, IME, that All Outbound To (never From) Internal is needed is when renewing certs from a Windows CA. If you look at your FW logs, you’ll find there’s very little that is actually required to manage a TMG from Internal. Less, still if you’re willing to manage TMG from the console (and I’m not!).
Event if I was a well-heeled hobbyist, and the only user on the Internal network, with the luxury of TMG between me and the Internet, there’d still be no reason for me to expose TMG to malware that somehow made it to my PC.
Domain-joined or not, those who adhere to best TMG practices and isolate TMG as much as possible from Internal will need the Access Rule.
Offended? Not at all. If I was one of those bloggers I’d make folks register before they could comment
And if I had customers on my internal network, I’d be all about a higher security configuration using domain isolation, GPO mandated Windows firewall policy, secure VLANs, etc. but when I ‘trust’ the internal network (meaning I control it) I do favour accessibility over security. Different strokes…
Great articles regarding TMG and exchange, best I’ve found in my attempts to google for answers.
I’m wondering if you have any ideas that could help me out, I’m in the banging my head against the desk stage of my troubleshooting.
My setup: single mail server in LAN with CAS role, edge server in DMZ with TMG 2010 double NIC’s, domain joined on one NIC and DMZ on the other.
I’ve run through all of your TMG publishing setups and i have green boxes for all connection tests for OWA and etc. I also had a successful edgesubscription between my mail server and my mail edge server and I have been sending and receiving mail successfully for months, until I installed TMG 2010.
I made a firewall policy rule that allows “LDAPS (EdgeSync)” between my hub transport and local host like JRV mentions before trying to make a new edgesubscription. When I run the command from powershell as administrator “start-edgesubscription” from my CAS, I get the following error: “could not connect LDAP server is unavailable”. My TMG 2010 log, shows that it denied a connection from my mail server to my mailedge server for the LDAPS protocol on port 50636, even though i made a rule that allows LDAPS(EdgeSync) and LDAP between the exact IP’s that it shows it has denied. For troubleshooting purposes I have allowed LDAPS from pretty much every source I can think of, explicitly put the IP’s in the rule that the log says are the source and destination, as well as internal, external, and etc.
The error I get keeps telling me that the source IP address is spoofed. The source IP is the same each time I see the error, but the source port seems to be different every time.
Error:
Denied Connection MAILEDGE 11/21/2011 2:08:22 PM
Log type: Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.
Rule: None – see Result Code
Source: Internal (5.0.0.212:14050)
Destination: Local Host (10.10.10.12:50636)
Protocol: LDAPS(EdgeSync)
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 5.0.0.212
Any ideas?
I believe the most important clue is this one
Check your network definitions on the TMG to make sure what is EXTERNAL is properly defined. With a two-NIC setup, your internal address space should be internal, and that should NOT include your DMZ addresses. The error message comes from the TMG getting traffic from a source ip.addr that is associated with a different zone. So if your DMZ subnet is included in the ranges of the INTERNAL network, and traffic from a DMZ ip.addr hits the NIC on the TMG associated with the external network, TMG flags it as spoofed. Since your source is a RIPE network, but we know it is your Edge server in your DMZ, I am pretty sure your network definitions are borked.
TMG Console
Networking
Network tab
confirm the ip.addrs in the Internal network…everything else (DMZ and Internet) is external.
Let me know if that fixes it for you.
Ed
Thanks, it was indeed my network configuration, fixed that and also deleted an old entry in a hosts file on the mail server and i’m good to go. Thanks a lot guys.
Rock on! Thanks for letting us know.
Spoofing errors occur when a packet arrives at an interface sent from an IP address OTHER THAN what TMG is expecting it on. Is the 5.x.x.x subnet in the definition for the Network?
Thank you for your effort creating this blog posts.
this blog post stuck me in front of endless! -)
i will copy my text from some forum. i hope i will get right answer here
I’m setting up new company infrastructure and I need your expert support to clarify few things!
What I had installed so far, Domain Infrastructure domain.root, Exchange 2010 with all roles on single box, TMG with 3 network cards (Internal, DMZ, External)
I’m stuck on my way of installing Exchange 2010 EDGE Server. I have planned to install EDGE server in DMZ as standalone machine and publish SMTP via TMG to Internet and setup EdgeSync to HUB in Internal network.
After I have installed EDGE server on standalone machine in DMZ and I have run Microsoft Forefront Protection for Exchange setup. At this point I have found blog post where it’s recommended to install EDGE server along with TMG on the single box to have ability to use all features of TMG email scanning. All other blogs discussing the same installation type and i even found instruction on MS site regarding this setup
This is really confused me.
My first main questions is: Is it really necessary to install Exchange EDGE role on the same box where TMG installed to have ability use all functionality of email scanning?
Another question is: What I will lose if I would install EDGE on separate box in DMZ behind protected by TMG?
In addition: It’s highly recommended to install EDGE server first and then TMG. But my TMG box is ready and don’t want to do configurations steps again
——————————————————————————-
can i achieve all tmg email scanning featutures without installing EDGE role on TMG itself. i don’t want to loadmy firewall and proxy for users with Exchange EDGE installation
thank you
Merz,
In your situation I would do exactly what I did in this post. I had my TMG up and running and just added Exchange Edge Transport on top of it, and it worked fine. If you don’t want to do that, then
Internet->TMG external->TMG DMZ->Edge Transport
and publish the mail server role on the Edge Transport using the TMG publishing wizard.
Either way will work fine, and with FPE installed on your Edge, you will get all the protection it offers.
HTH
Ed
Hi there,
we need to install Exchange Edge Transport and Forefront Protection 2010 for Exchange Server in order to have it function successfully as a SMTP gateway with full Email AV, Antispam and Malware protection? How about if we only implement TMG eMail policy does it work itself?
thank you.
TMG email protection works fine by itself, but it does not have all the functionality of Forefront Protection for Exchange (FPE.)
If you want the full anti-X capabilities, you will want to install FPE. For example, TMG will protect your email servers from attacks against email services, but does not protect your users from malware within an email. See this and this for details. If you only want to protect your servers, TMG is enough. If you want to protect your users, you want FPE or other third party anti-x solution.
Ed
Adding to Ed’s comment, MS has done a good job of integrating EX Edge, TMG & FPE, making it about as painless a mail hygiene solution as you could hope for. And it’s the only anti-spam I’m aware of that’s integrated with Outlook’s Safe Senders List, making it easy for users to manage their own whitelists. Unless you’re already invested in another mail hygiene product and can’t or don’t want to change, definitely use Edge + TMG + FPE.
Hey Ed,
thank you for your reply
i don’t want to deal with two (FE and BE) TMG servers, i have started this way but then i decided to go with one instance of TMG
my another concern is that is it ok to have single TMG installation with EDGE on top of it and to install EDGE after TMG is installed, or should start my installation from beginning and install EDGE and then TMG
P.S. once again. i cannot get the same functional if edge installed in another box?
i have another questions to you i will back to them later
Merz,
It is ok to have single TMG installation with EDGE on top of it, and to install EDGE after TMG is installed. That is fine and is what I did.
Ed
Hi Guys, thank you for your reply. i have question here. my server will be setup in DMZ network. i have read articles through and i know that it is recommended to have 2 NICs configure to connect to the internal and external. what if configure only with 1 NICs in a single server running Edge + TMG + FPE? what is the pros and cons?
With only one NIC, TMG is just a proxy and cannot do the content inspection and IPS work. I really urge you to deploy with two NICs and route traffic through the TMG to get the most out of it.
Ed
hello, one more question. TMG server will be deploy on DMZ network 176.23.x.x and connected to internal network 10.x.x.x and 192.168.x.x it is these routing table entries require enter during the installation of the TMG firewall? what if i didnt enter these entries , my email still able to flow in from external to internal user? Thanks.
Depends on how the internal NIC is configured. If it is on one of those networks the routing is implicit, but the other won’t be reachable until you add it to the routing table with the next hop gateway.
Ed
Very appreciate and thank you for your replied. I have convince my supervisor have 2 NICs installed on TMG server. My TMG server is located at DMZ network and other then policy rules allowing SMTP traffic through the exchange edge server must be enabled during e-Mail policy setup, what other protocol is it require to add and allow pass through? My proxy server configure in internal network.
The how-to regarding TMG 2010 and the Edge Transport Role was exactly what I was looking for. Thank you so much for your efforts.
You’re welcome!
Hi ED,
Thanks for posting such a wonderful article!! congrats!
What is the main advantage to have TMG,EDGE and FPE on the same server? All 3 have anti spam features but FPE has additional virus scanning features.
Could you please explain ellaborate to get understand better
Warmest regards,
David
The advantage is only in minimizing your server count. If you can afford more servers/need more for performance, use separate boxes. Edge and TMG give you IPS and anti-spam, but you need FPE for anti-malware.
I have one more question, you recommend to install the
1)TMG,2)edge and then 3)FPE.
but in the below link , MS recommend to install 1)EDGE 2)FPE and 3)TMG
http://technet.microsoft.com/nl-nl/library/ee207141%28en-us%29.aspx
Please clarify
Thanks
David
Ford vs Chevy. If you haven’t installed anything yet, follow the technet article. If you have already installed TMG, follow mine.
Either way gets you to the same place.
Appreciated for your prompt response!. In one of client, we plan to upgrade exchange edge server 2007/ (FPE) to edge server 2010+TMG+FPE.
Could you please give me some best practices to go head with this
If i install the edge server 2010+TMG in DMZ, how the existing anti spam and other settings will replicate to the new edge 2010 server+TMG+FPE.
Please guide me
Warmest regards,
David
David, see this article on considerations when upgrading from Exchange 2007 to 2010 and then this checklist for the step by steps. You might also run ExDeploy to get a more tailored guide. As far as your settings, blacklists and whitelists are stored in AD, but specific configurations will need to be recorded from the 2007 FPE server and recreated on the 2010 Edge, and of course you will have to subscribe your new Edge server to the hub transport server in the nearest site.
HTH
Ed