1/11/2019 7:04 AM Understanding, Configuring and Troubleshooting E-Mail Protection Feature on Yuri Diogenes | blogs.technet.com/yuridiogenes Senior Technical Writer | Windows iX IT PRO Security Former Senior Support Escalation Engineer | CSS Forefront Edge Microsoft © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda Understanding E-Mail Protection Solution Architecture Configuring E-Mail Protection Common Problems Troubleshooting
Understanding E-Mail Protection Solution
Component Architecture TMG Integration with Exchange and FPE TMG component holds a snapshot of the actual Exchange Edge configuration on the local machine. Since sometimes Exchange will be configured externally to TMG, the snapshot will not always match that of TMG Configuration Snapshot. TMG will poll for changes in Exchange configuration every once in a while and if it changed since the last time TMG configured it, TMG will set it back. If Edge Subscription is used, TMG will ignore specific fields that Edge Subscription takes responsibility for. The edge commands, methods and installers are a group of wrappers over edge management tasks. Component Architecture TMG Integration with Exchange and FPE
Component Architecture TMG Integration with Exchange and FPE TMG component holds a snapshot of the actual Exchange Edge configuration on the local machine. Since sometimes Exchange will be configured externally to TMG, the snapshot will not always match that of TMG Configuration Snapshot. TMG will poll for changes in Exchange configuration every once in a while and if it changed since the last time TMG configured it, TMG will set it back. If Edge Subscription is used, TMG will ignore specific fields that Edge Subscription takes responsibility for and you can’t change the settings as shown in this screen
Component Architecture Exchange Edge Business Value Launch 2006 1/11/2019 7:04 AM Component Architecture Exchange Edge Exchange Edge © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Feature Ownership (custom) (FF DNSBL) Feature Exchange Edge Role FPE IP Allow / Block Lists IP Allow / Block List Providers (custom) (FF DNSBL) Sender / Recipient Filtering, Sender ID Sender Reputation Basic Content Filtering (SmartScreen) Premium Antispam (Cloudmark) File Filtering Message Body Filtering Anti-virus & Anti-spyware
Configuring E-Mail Protection Feature Installation It is recommended that you install these mail protection technologies (and their prerequisites) on each array member, in the following order Install Active Directory Lightweight Directory Services. Install the Exchange Server 2010 Edge Transport role (RTM, don’t use Exchange 2010 SP1 Slipstream). Install Forefront Protection 2010 for Exchange Server. Install Forefront TMG. Important points about updating the system update after installing the core pre- reqs. Follow the order below: Install TMG 2010 SP1 Install TMG 2010 Update 1 Install TMG 2010 Update 1 Rollup 3 Install Exchange 2010 SP1 Configuring E-Mail Protection Feature Installation
Currently (TMG 2010 SP1 + Updates) requires that ALL configurations MUST be done via TMG 2010 Console. When the user changes something TMG has no control of, TMG doesn’t care and it is up to the user to make sure the settings are duplicated across the array. However if the user tries to change something that TMG controls she may lead to an invalid configuration and cause TMG to function incorrectly. Therefore TMG will not permit such a change. It will remove the user’s changes by resetting Exchange configuration back to the one in TMG storage. To check for changes we will use ADAM’s built-in support for “checkHighestUSn”, an LDAP query that queries the entire ADAM structure for the highest USN. TMG will use a similar mechanism to check for changes. Configuring E-Mail Protection Feature Key points to remember before the Configuration
TMG will poll Exchange configuration every once in a while TMG will poll Exchange configuration every once in a while. If a change is detected, TMG will refresh the Exchange Snapshot and compare it to the last TMG Snapshot it created. If Exchange configuration diverges from the one TMG configured, TMG will notify of the administrator using an alert and through the UI. Changes done directly on Exchange Edge Console/Powershell or FPE Console/Powershell will be overwritten by TMG. When this happens the following alert will appear on TMG: Configuring E-Mail Protection Feature Key points to remember before the Configuration
Common Problems Action: making change directly on Exchange Edge or FPE Result: Forefront TMG Managed Control Service might fail to start with error 0x80070057 Workaround: remove the changes that were manually added to Exchange or FPE Common Problems Action: Notice that IPs getting populated on the IP Block List directly on Exchange Result: Forefront TMG Managed Control Service stops and fail to start with error 0x80070057 Workaround: disable Sender Reputation feature via TMG Console (under Spam Filtering)
Action: Installing Exchange 2010 SP1 Slipstream during the installation of E- Mail Protection Pre-Reqs Result: Forefront TMG Managed Control Service might fail to start with error 0x80131500 Workaround: don’t use Exchange 2010 SP1 Slipstream while installing the pre-reqs for E-Mail Protection. Use RTM and apply SP1 after having TMG 2010 SP1 Update 1 Rollup 3 Common Problems Action: Trying to make changes on settings that are not exposed via TMG Console directly via FPE or ExchangeEdge Result: Forefront TMG Managed Control Service will overwrite the option and undo the change. Workaround: don’t use the options that are not exposed via TMG Console.
Action: Install Exchange 2010 SP1 on an a Server using E-Mail Protection feature and having TMG 2010 SP1 on it Result: Forefront TMG Managed Control Service might fail to start with error 0x80070057 Solution: Install at least TMG 2010 SP1 Update 1 (or higher = Rollup 3) Common Problems
Keep in mind the following points while troubleshooting E-Mail Protection issues: TMG Live Logging just shows the SMTP connections coming in and out, nothing more than this. TMG Live Logging will be useful is to validate if SMTP connection is estabilished or not and which rule is hitting. TMG Trace (using TMG Data Packager) will go a little further, but not much since it only logs the changes that are applied to the system as shown in the following samples: Troubleshooting
TMG Data Packager most likely will not be helpful in the following scenarios: Mail flow issues or NDRs Exchange Edge specialist should be involved. Messages are getting incorrectly stamped as SPAM or getting dropped due virus detection Identify which setting is controling that and engage the correct specialist (FPE or Exchange Transport) – see component ownership slide. Troubleshooting
Additional Resources Understanding Email Protection In TMG http://technet.microsoft.com/en-us/library/ee338733.aspx Configuring protection from e-mail-based threats http://technet.microsoft.com/en-us/library/dd441084.aspx The Exchange Edge default Receive connector gets unexpectedly disabled even though the Email policy is not configured http://blogs.technet.com/b/isablog/archive/2010/10/15/the-exchange-edge-default-receive-connector-gets-unexpectedly-disabled-even-though-the-email-policy-is-not-configured.aspx
Additional Resources Unable to Add an Additional IP on Receive Connector on Exchange Edge when using E-Mail Protection feature on Forefront TMG 2010 http://blogs.technet.com/b/yuridiogenes/archive/2010/04/02/unable-to-add-an-additional-ip-on-receive-connector-on-exchange-edge-when-using-e-mail-protection-feature-on-forefront-tmg-2010.aspx TMG E-Mail Protection Feature x Exchange 2010 SP1 http://blogs.technet.com/b/yuridiogenes/archive/2010/09/03/tmg-e-mail-protection-feature-x-exchange-2010-sp1.aspx Unable to Receive E-Mails from the Internet using E-Mail Protection feature on Forefront TMG 2010 http://blogs.technet.com/b/isablog/archive/2010/08/24/unable-to-receive-e-mails-from-the-internet-using-e-mail-protection-feature-on-forefront-tmg-2010.aspx
1/11/2019 7:04 AM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.