Installing Exchange 2010 Edge Server with Forefront Protection for Exchange (FPE) and Threat Management Gateway (TMG) – Part 1


TMG2010I am mid-migration, in a co-existence setup with Exchange 2010, 2007 and 2003. So far the roles installed for Exchange 2010 are CAS, Hub and Mailbox on a single server. Into this mix I need to introduce an Edge Server, with message hygiene in the form of Forefront Protection for Exchange (FPE) and Threat Management Gateway (TMG) as a reverse proxy to publish OWA, ActiveSync et-al.

Since Edge, FPE and TMG can now all exist on a single 64-bit server, I will start with a clean installation of Windows Server 2008 R2, up to date with all the latest hot fixes. The server itself is nothing too spectacular, for testing purposes it has 2 virtual CPUs and 2GB RAM. It does need 2 NICs, one on the internal LAN and one on the DMZ. Since the DMZ is behind a hardware firewall, an external IP address has been mapped to the servers DMZ NIC. The server is named EDGE01.

To begin with, I need to install the Active Directory Lightweight Directory Services role, which includes the .NET 3.5 framework. So to start, you can fire up the Add Roles Wizard and install AD LDS, but the simpler way is to use the PowerShell ServerManager commands.

I’m installing the Exchange 2010 prerequisites as per this Technet article: http://technet.microsoft.com/en-us/library/bb691354.aspx.

From an elevated PowerShell prompt, import the server admin module:

Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS –Restart

The components will install, and the server will restart (leave of the –Restart to restart later).

Now we can move on to the Exchange 2010 Edge role installation. First of all, check that you can resolve the existing Exchange 2010 and your Global Catalog servers, either by ping or NSLOOKUP. Since this server is in the DMZ and LAN, and not a domain joined, I have added the DNS suffix to the Internal LAN NIC. If DNS is not applicable (i.e. only in DMZ), create an entry in the server’s HOSTS file. You also need to create an A record in the internal DNS for the Edge server so that the internal Exchange installation can get to the Edge server.

Run the Exchange 2010 setup wizard, click through the Introduction, read and agree to the License Agreement, check your Error Reporting settings and come to the Installation Type. Select Custom Exchange Server Installation.

Select the Edge Transport Role (Management Tools will select automatically)

Set your CEIP settings to your preference and then the Readiness Checks will begin. Once completed, check that the prerequisites are installed and configured – if not go back and install/configure them and retry the checks until they are all passed.

Review the setup completion window, ensure there are no errors:

This will then open up the Exchange Management Console (EMC). Select the Edge Transport server and have a look through the settings. Now is also a good time to enter your license key, if you’re not using a trial version. You can do this again via the EMC, or the Exchange Management Shell (EMS)

Set-ExchangeServer -Identity 'EDGE01' -ProductKey 'XXXX-XXXX-XXXX-XXXX-XXXX’

If your existing Exchange has been updated (i.e. mine is on Update Rollup 4) then you need to match the update version on the Edge server.

To configure the Edge Server for EdgeSync, use the following command to create an EdgeSync configuration file on your new Edge server:

New-EdgeSubscription –FileName c:\EDGE01-Config.xml

You get the above message, which essentially warns you that a) EdgeSync will overwrite your existing configurations, b) you must now manage the server from your Internal Exchange organisation, c) the Edge and Hub Transport servers must be able to resolve each other’s FQDN, d) you have 1440 minutes (24 hours) to complete the subscription or it will eat your mum and/or dog*. (*may not be true)

If you view the created subscription file, you can see that there’s some pretty obvious configuration data such as the server name and FQDN, a certificate, a user name and password to create, the AD LDS (or ADAM in old money) port and some product version and ID info.

Copy this subscription file over to your Hub Transport server and fire up a new EMS window.

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\EDGE01-Config.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site"
Start-EdgeSynchronization

Essentially this command reads the XML config file and allows you to add the site option – this is required when running on the Hub Transport server. (See http://technet.microsoft.com/en-us/library/bb123800.aspx). Start-EdgeSynchronization does exactly what it says on the tin. If all is successful you should see output like in the screenshot below:

At this point I would suggest testing your mail flow, I sent a few emails to my gmail account and by looking at the headers realised that I needed to add in the SmartHost for my send connector. This is done on the Hub Transport server, under send connectors you should have two EdgeSync Send connectors:

As I have multiple sites and versions, there was some playing with the send connector costs in order to get the mail flowing correctly – but that’s specific to my setup, so I won’t go into it.

As this is now getting to be a long old post, I’m going to split it into two parts – I will link the next one here. In this post I’ve shown you how to set up the Edge Transport server and get it talking to your Hub Transport – next I’ll show you the FPE install, configuration and also TMG install and configuration. Until then…enjoy!

Share this post