howto://use TMG 2010 as the Exchange edge transport server

by Ed Fisher on 2010-05-07

in Infrastructure

 

In our earlier posts (part one, part two) we performed a simple Exchange server setup for a ‘single-server’ install. We have our addressing policy setup, and can send email out to the world. Now, it’s time to get email IN to our system. Since we use TMG at our perimeter, we’re going to leverage the combined power of TMG and the Exchange 2010 Edge Transport role. Here’s a quick pic of what we’re going to have when we’re done.

 Our exchange setup overview

We have our existing TMG2010 server running Windows 2008R2, and our Exchange 2010 server running Windows2008R2. We’ve already installed Exchange 2010 on Demeter, with the Client Access Server, and Mailbox Server roles. We have a mailbox database, mailboxes, and can send outgoing mail just fine. Now, we want incoming mail, and that will have to go through our TMG server.

 

We do have some pre-work to do, and if you opted for 2008 instead of R2, there will be a little more work to do, but overall, this is pretty straight-forward process, and much quicker than our ‘single-server’ install. Ready to begin?

DNS records

If we want external domains to send us mail, and to minimise the problems we’ll have sending mail out to external domains, we need to get our DNS work out of the way first. Depending upon the TTLs set, we may finish the rest of this before DNS is done, so we want to do this first. We need to log onto our DNS server (or hosted portal) and setup our records for our domain. This means we need to

  1. Created an A record for our host, Demeter, using our external ip.addr.
  2. Created an MX record with a weight of 10, and pointed it to our Demeter.
  3. Updated our SPF record to include Demeter as a valid sender by ip.addr. See this post for more on that.
  4. Update our PTR record if we have access to it.
  5. After you’ve allowed time for DNS changes to propagate, use a looking glass or dig to make sure your A, MX, SPF, and PTR (optional) records are all set.
    image
    Yes, I left the googlemail servers in place, since I originally setup retrohack.com on Google Apps. If I lose Internet connectivity at the house, I want to still receive mail, so those servers will accept mail that I can fetch later.

 

PowerShell

We’re running our TMG 2010 server on Windows 2008 R2, which means we already have PowerShell 2.0. That’s good, because Exchange 2010 requires it. If you are using the original version of 2008, and added PowerShell through Server Manager, you’ll need to remove it. Here’s how.

  1. Click Start, Run, and type CompMgmtLauncher. Click OK.
  2. In the Server Manager tree, expand Features, and in the Features Summary, click Remove Features.
  3. In the Remove Features Wizard, scroll to Windows Powershell, and then clear the check box.Click Next, and then click Remove.
  4. When the process has completed, restart the computer

When you start the install of Exchange 2010, the prerequisites page will direct you to install PowerShell 2.0.

AD LDS, or the service formerly known as ADAM

Since we’re dealing with a role that is intended to live in the DMZ, and not  have any connectivity to Active Directory, we’re going to need to run Active Directory Lightweight Directory Services on our TMG server, so that the Exchange 2010 Edge Transport Role has a place to store its configuration. I know, that seems awfully silly to me to, seeing as how a flat config file, registry hive, or even an XML file would do just fine. But they paid a lot of money to develop ADAM/AD LDS, so by gods somebody  is going to use it! To install Active Directory Lightweight Directory Services. If you have already installed TMG 2010 you already have AD LDS running, and are good to go. If you’re not to the install of TMG yet, here’s a quick way to get AD LDS on board.

  1. From an elevated command prompt, type cmd.exe /c start /w pkgmgr.exe /iu:"DirectoryServices-ADAM".

Installing TMG 2010

As we’re dealing with adding Exchange 2010 to a setup that already has TMG 2010 in place, we won’t cover that install in this post. If you need to, you can see this two part post on installing TMG 2010 by clicking part one, and part two. Come back here when you’re done, and we’ll continue. It’s okay, we’ll wait. You go right ahead.

Installing the Exchange Server Edge Transport role

Before installing the Exchange Server Edge Transport role, you must verify that the computer is configured with a DNS suffix. Use the following procedure:

  1. To add a DNS suffix to a Forefront TMG computer
  2. On the Desktop, right-click Computer, and select Properties.
  3. Click Advanced system settings, and then click the Computer Name tab.
  4. Click Change, and then click More.
  5. In the Primary DNS suffix of this computer box, if an FQDN is not configured, type one, and click OK.

To install the Exchange Server Edge Transport role,

  1. Run the Exchange Server Setup.exe file, and follow the steps in the Exchange Server Setup Wizard, including the installation of all the prerequisites.
  2. On the Installation Type page, click Custom Exchange Server Installation.
    image
  3. On the Server Role Selection page, select Edge Transport Role, and click Next.
    When you select Edge Transport Role, Management tools is automatically selected
  4. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully.
  5. Then, click Install to install Exchange.
  6. Go get coffee…mmm, coffee…
  7. On the Completion page, click Finish.
    Fifteen long minutes later...
  8. When the EMC launches, select the Edge Transport Role, and select "Enter Product Key…" from the Actions pane.
    image
  9. On the Edge Transport server, open an Administrative Exchange Management shell, and run the following command. New-EdgeSubscription -FileName "C:\EdgeSubscriptionInfo.xml"
  10. Copy the resulting XML file to a Hub Transport server in the Active Directory site to which you want to subscribe the Edge Transport server.
  11. On the Hub Transport server, open an Administrative Exchange Management shell, and run the following command.
    New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\EdgeSubscriptionInfo.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name" -CreateInternetSendConnector $true -CreateInboundSendConnector $true

    note to readers: if your site is NOT named Default-First-Site-Name, change that as necessary in the above command!

    note to Microsoft: if you were trying to make this as difficult as Unix cmd-line administration, you succeeded. Seriously, you really expect someone to remember this sequence? You’re own page on TechNet where I got this from has typos!!!

  12. On the Hub Transport server, run the following command.

    Start-EdgeSynchronization

  13. Launch the TMG Management Console.

  14. Come down to E-Mail Policy and click Configure E-Mail Policy to launch the wizard.
    image
  15. Click Next on the welcome screen, then add the internal mail server and accepted authoritative domain(s) as necessary, and then click Next.
    image
  16. Configure your internal listener. Unless you are multi-homed on the internal network, you can probably just click Internal and then click Next.
  17. Configure your external listener ip.addr, and the FQDN your TMG server will use in response to HELO/EHLO messages.
    image
  18. Enable as desired. You definitely want to enable connectivity for EdgeSync since that is how we’re rolling.
    image
  19. And of course, it’s going to make sure you understand that you’re opening stuff up. Click Yes, unless of course, you don’t really want email to work.
    image
  20. Hit apply, enter your configuration chance description, and go for the win!
    image
  21. Then, go to http://www.mailradar.com/openrelay/ and test your server to make darn sure that you are not relaying at all! Do not skip this step, as it’s the best way to make sure you didn’t make a misconfiguration that leaves your server as an open relay. Failure to do this can result in your ISP to blocking you, Santa placing you on his naughty list for life, and shrinkage. Don’t be that guy.


If all was done per the specs above, you should be ready to rock and roll! If not, start troubleshooting from the outside in. Use your Gmail account to send email, and run WireShark on your TMG server to make sure traffic is getting past your ISP. If it’s not, start by making sure your DNS records are correct, and have propagated, then make sure you can get traffic past your ISP (not all will allow SMTP in by default, it at all.) If email is getting to your TMG/Edge server but not past it, use the Queue Viewer Tool (Exchange Management Console, Tools, Queue Viewer) and check for error codes. Exchange authentication needs to use internal FQDNs or NetBIOS names. See this post for the most common error there.

Now that you’ve got email working, take a break and loosen up gray matter with this little nugget from the tubes…YouTube that is. StrongBad rules, and with TMG, we fear no virus!

direct link for RSS and email subscribers…http://www.youtube.com/watch?v=6oiGj2ZiDxQ

You might also enjoy:

  1. howto://install Exchange 2010 on a single box-part two
  2. howto://install Exchange 2010 on a single box-part one
  3. howto://connect clients to exchange-part one
  4. What we’ve got here is a failure to communicate

Tagged as: exchange, howto, isa & tmg

{ 6 comments… read them below or add one }

arg 2010-05-08 at 00:13

Ed,

Found your site via Splunk blog. This series of Exchange posts are amazing. Prescriptive and descriptive! As a former admin and current consumer of EXCH, it is my wish that M$ would provide documentation as clear or clearer than your posts.

Yours,

Dr. Steve Brule

Reply

Ed Fisher 2010-06-13 at 17:30

What a very nice thing to say. Thank you so much! I’m glad you enjoyed them. There’s three more scheduled (two t/s and one on publishing OWA) and I expect to do at least more more on publishing CAS services through TMG. Hope they are as well-received, and that folks find them useful.-ed

Reply

victor 2010-06-15 at 17:05

Perfect Thanks

Reply

Ed Fisher 2010-06-15 at 17:09

You’re welcome!
Thanks for dropping by and leaving a comment.

Reply

John lemoine 2010-07-28 at 10:58

Nice article..

I have implemented a server with 2010 Edge, Forefront for Exchange 2010 and TMG 2010. Shortly after installation I have been having problems with something marking all the Exchange services as disabled which of course stops mail flow.

any ideas? Did I miss something in the setup?

John

Reply

Ed Fisher 2010-07-28 at 12:17

Hi John,
Did you recently apply any patches or updates? Is there any third-party (or MSFT) antivirus/antimalware installed? Finally, is your server virtual, and if so, is the disk set to disregard changes on shutdown? Is your disk almost full? My best bet is that a patch was applied that went bork. After making sure that any virtual disks (if this server is virtual) are set to persistent, and disabling any third party a/v or ips, I would…
1) set all the affected services to automatic
2) start each one
3) monitor the event logs for any errors
4) hit Windows Update (not your internal WSUS) and check for any required patches. Install any that you are missing. If any fail with an error code, chase that down.
5) reboot after patching whether or not required.
6) check services and if they are disabled again, look to the event logs.
Let me know how you make out. I have seen overly aggressive policies (ForeFront Client Security, Cisco Security Agent, GPO setting SMTP and POP services to disabled on all servers) configured to detect service changes and roll them back. Make sure that you are not getting wacked by another admin’s overly aggressive policies.
Ed

Reply

Leave a Comment

CommentLuv Enabled
You can link your twitter feed here @

Previous post:

Next post: