Secure your Exchange 2010 Server with Forefront TMG – Part 1

In this article, you will learn how to use the advanced features of Forefront TMG to improve security of Exchange 2010.

Author
Recent Posts

Alexander Weiß currently heads up an IT department, and my main interests include IT governance, cloud computing and IT architecture. Read my blog about Amazon cloud computing.

Latest posts by Alexander Weiss (see all)

Set up a SharePoint 2010 development environment - Mon, Sep 3 2012
MBAM 2.0 – BitLocker Administration and Monitoring changes in Windows 8 - Thu, Jul 26 2012
BitLocker in Windows 8 - Thu, Jul 19 2012

An essential part of an Exchange 2010 deployment is the availability of e-mail everywhere at any time. For your users, this feature eases work; for you as an administrator, it means more work, because you have to secure the Exchange Server against attacks from outside your corporate network.

I often see that Exchange 2010 is published directly to the internet by allowing access to the various ports from the internet. However, this approach undermines most of the security features of Forefront TMG. Forefront supports Preauthentication, which means the users do not authenticate with the Exchange Server but with Forefront. Forefront then passes the privileges to the Exchange Server.

This improves security in various ways; one of them is that you do not have to publish Exchange to the internet. Another security feature of Forefront is that it can act as a web proxy. Here the protection mechanism is the same as with Preauthentication. From the Internet, nobody sees your Exchange Server. It is completely hidden behind the firewall.

Forefront also supports web filters and e-mail filters. When the access to Exchange is secured by SSL, which is absolutely needed to have at least some basic protection, and only passed through the firewall to Exchange, these filters cannot work because all they see is the encrypted stream of bytes. Forefront can bridge SSL. This means that the users still use SSL to access their e-mail, but Forefront TMG can inspect the network traffic.

When SSL is bridged, the user establishes a SSL connection with Forefront TMG and Forefront TMG establishes a SSL connection with Exchange. Thus, the tunnel is interrupted and Forefront can inspect the traffic. However, even though the SSL tunnel does not directly connect the user with Exchange, all network traffic is still secured by SSL.

Before I write about the actual configuration steps, I want to provide you with a picture of the network topology and list the prerequisites of this guide. The network topology is pretty simple in my case, but it can be even simpler. The Exchange 2010 Client Access Server and the Mailbox Server can reside on the same server. There is no need for them to be installed on separate machines.

Prerequisites for securing Exchange 2010 with Forefront TMG

A working Exchange 2010 and Forefront TMG installation.
You have to have Split-DNS configured, which means you use the same domain name for your internal and external network. I use the name contoso.com.
Outlook Web APP (OWA), Outlook Anywhere, and Exchange ActiveSync use the FQDN mail.contoso.com.
You need a valid certificate. mail.contoso.com must be the certificates principal and autodiscover.contoso.com has to be listed under “Subject Alternative Name”.

If you can fulfill these prerequisites, you can follow the step-by-step guide to secure your Exchange 2010 Server in my next article.

Want to write for 4sysops? We are looking for new authors.

4sysops members can earn and read without ads!