In this article, you will learn how to use the advanced features of Forefront TMG to improve security of Exchange 2010.

An essential part of an Exchange 2010 deployment is the availability of e-mail everywhere at any time. For your users, this feature eases work; for you as an administrator, it means more work, because you have to secure the Exchange Server against attacks from outside your corporate network.

I often see that Exchange 2010 is published directly to the internet by allowing access to the various ports from the internet. However, this approach undermines most of the security features of Forefront TMG. Forefront supports Preauthentication, which means the users do not authenticate with the Exchange Server but with Forefront. Forefront then passes the privileges to the Exchange Server.

This improves security in various ways; one of them is that you do not have to publish Exchange to the internet. Another security feature of Forefront is that it can act as a web proxy. Here the protection mechanism is the same as with Preauthentication. From the Internet, nobody sees your Exchange Server. It is completely hidden behind the firewall.

Forefront also supports web filters and e-mail filters. When the access to Exchange is secured by SSL, which is absolutely needed to have at least some basic protection, and only passed through the firewall to Exchange, these filters cannot work because all they see is the encrypted stream of bytes. Forefront can bridge SSL. This means that the users still use SSL to access their e-mail, but Forefront TMG can inspect the network traffic.

When SSL is bridged, the user establishes a SSL connection with Forefront TMG and Forefront TMG establishes a SSL connection with Exchange. Thus, the tunnel is interrupted and Forefront can inspect the traffic. However, even though the SSL tunnel does not directly connect the user with Exchange, all network traffic is still secured by SSL.

Before I write about the actual configuration steps, I want to provide you with a picture of the network topology and list the prerequisites of this guide. The network topology is pretty simple in my case, but it can be even simpler. The Exchange 2010 Client Access Server and the Mailbox Server can reside on the same server. There is no need for them to be installed on separate machines.


Prerequisites for securing Exchange 2010 with Forefront TMG

  1. A working Exchange 2010 and Forefront TMG installation.
  2. You have to have Split-DNS configured, which means you use the same domain name for your internal and external network. I use the name
  3. Outlook Web APP (OWA), Outlook Anywhere, and Exchange ActiveSync use the FQDN
  4. You need a valid certificate. must be the certificates principal and has to be listed under “Subject Alternative Name”.

If you can fulfill these prerequisites, you can follow the step-by-step guide to secure your Exchange 2010 Server in my next article.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account