Install and configure email handling solutions on TMG 2010 Firewall - Part 5
Network Administration - In Part 5 of this series, I will show you how to configure the Edge Subscription feature on the TMG 2010 firewall.
Install and configure the solution to handle email on TMG 2010 Firewall - Part 1: Installation
Install and configure email handling solutions on TMG 2010 Firewall - Part 2: E-Mail Policy
Install and configure email handling solutions on TMG 2010 Firewall - Part 3: Anti-spam
Install and configure email handling solutions on TMG 2010 Firewall - Part 4:
In this section, which will be the final part of the series, I will show you how to configure the Edge Subscription feature. Edge Subscription is a very useful feature, which allows you to block predefined mail for users who are not in your Exchange organization. This is a very valuable tool, because if you look at your spam statistics, you will certainly find that the overwhelming majority of spam is targeted at users who do not exist in your organization. Locking such 'address-exploiting' emails can help us take a big step in improving the overall performance of Exchange Server.
Finally, we will also test our configuration and try to see if the entire configuration process we have done is working well. We have set up a basic Exchange Server 2010 server behind the TMG firewall. What we will do is try sending some spam from a computer in the Internet through the TMG firewall, then send out some spam through the TMG firewall.
Create an Edge Subscription file and configure the Edge Subscription
The first thing you need to know is not to create an Edge Subscription. However, this method will help your email handling solution become more efficient. It will improve the anti-spam features, allow the lookup of recipients so that mail sent to users who are not in the organization (non-user) will be rejected, besides allowing the collection of lists. safe. Information about users in your Active Directory forest will be sent to an Active Directory LDS database located on the TMG firewall via a secure LDAP connection. In addition, Safe Senders lists and recipient information are hashed so that they are not blocked during transmission.
Information transmitted between Active Directory and TMG Active Directory LDS database includes:
- Edge subscription information
- Configuration information
- Receiver's information
- Information about network topology
EdgeSync services use secure LDAP connections over TCP port 50636 to synchronize directory information between Exchange Hub Server and the TMG firewall's Exchange Edge server.
With some background knowledge, let's create the Edge Subscription file. In the TMG firewall console, click E-Mail Policy in the left pane. In the right pane of the interface, click Generate Edge SubscriptionFiles , as shown in the figure below.

Figure 1
Your above action will bring up the Browse For Folder dialog box. Create a new folder called SubFiles , using the Make New Folder button. Click OK after creating a new folder on the C: drive.

Figure 2
If everything works properly, you will see a dialog box that says 1 Edge Subscription file (s) was created in directory C: SubFiles. , as shown in the image below.

Figure 3
If you open the file, you'll see something like the one shown in the image below. You can see the file is saved as clear text, so make sure that after importing these settings into the Hub Transport Server, you need to delete the file immediately. Failure to do this may lead to some malicious problems if an intruder can access the file. You also need to know that the subscription file is only good for 24 hours. If you do not use it before the timeout time, you need to create another request.

Figure 4
Now copy the file to the Exchange Hub server. Since we only have one Exchange Server in our test network, we will copy it to that server. At Exchange Server, open Exchange Management Console and click Organization Configuration in the left pane. Click Hub Transport as shown in the figure below.

Figure 5
In the right pane of the console, click the New Edge Subscription link , as shown in the figure below.

Figure 6
This will bring up the New Edge Subscription page. Click the Browse button in the Active Directory site section of this page. You will see the Select Active Directory Site dialog box appear. Select Default-Site-Site-Name and click OK .

After the wizard is complete, you will see what is shown in the picture below. Note that there is a warning:
EdgeSync requires that the Transport Hub servers print in Active Directory site msfirewall.org/Configuration/Sites/Default-First-Site-Name be able to resolve the IP address for TMG2010.msfirewall.org, and be able to connect to that host trên cổng 50636
We always have to create name identification and this is another example of how important DNS is to the TMG firewall scenario.

Figure 8
Check if the system policy supports email communication
When you configure the TMG firewall as an email security gateway, the program automatically configures some of the settings in System Policy. In the figure below, you can see that three System Policy Rules have been created to allow SMTP communication:
- Allow SMTP from Forefront TMG to trusted servers
- Allow SMTP traffic to the local host to filter and protect mail
- Allow SMTP traffic to Internet to filter mail protection

Figure 9
When you enable EdgeSync traffic, you will see the System Policy Rule created to allow EdgeSync traffic. This is Allow LDAP / LDAPS traffic to the local host for the Exchange Server EdgeSync Protocol . In the picture below, you will see Protocol Definition allowing TCP port 50636 to be sent.

Figure 10
Now what happens if we send a clean email through the firewall? Here is the log file entry for such an email:
TCP2 / 28/2010 8:57:43 AM 10.0.0.1 10.0.0.3 25 SMTP Closed Connection Inspected [System] Allow SMTP from Forefront TMG to trusted servers 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN Local Host Internal - TMG2010RTMB - Firewall
We highlighted the fact that this connection was exposed by the Network Inspection System. The SMTP filter is no longer used in TMG when using integrated email protection features. Instead, you will benefit from NIS, Exchange Edge and Forefront Protection for Exchange (FPE). The end result is a safer email protection configuration than what you can get with just one SMTP filter.
The next test will be to send some malware to Exchange Server through the TMG firewall. With this test, we used the previous test file that you downloaded from here. We have found that log files are not really interesting for processing test files, details you can see in the picture below.

Figure 11
In fact, we have not found any information regarding SMTP logs. Checking on TechNet you can find a fairly comprehensive article on how this email protection feature works here, but the article does not mention how to find information recorded for malware. detected. In addition, the FPE interface does not reveal when you install email protection on TMG, so you cannot check the malware information found here.
However, if you check the email message, you will see that TMG has done what it is intended to do.

Figure 12
If you open the file eicar_com.zip.txt , you will see the following:

Figure 13
Admittedly there is nothing interesting, but remember that you can customize this message by activating the notification feature, as shown in the image below.

Figure 14
Conclude
In the final part of this article series, I showed you how to configure EdgeSync feature by creating a file on the TMG firewall and then using this file to automatically configure Exchange Hub server for receiving. and keep the mail in and go through the TMG firewall.
You should read it
- Install and configure the solution to handle email on TMG 2010 Firewall - Part 1: Installation
- Install and configure email handling solutions on TMG 2010 Firewall - Part 2: E-Mail Policy
- What is a firewall? General knowledge about Firewall
- Routing and filtering network traffic - Part 2: Windows Firewall
- How to turn firewall (Firewall) on Win 7
- The new Vista firewall is not sure of the output security
- Protecting the network through web content filtering
- Learn about firewalls, Windows Firewall on Windows Server 2012
May be interested
- How to configure the router as an IoT firewallwhen talking about iot, we often think about what they can do, but ignore the potential threats that iot devices can bring, not only for ourselves but also others.
- Instructions for handling and troubleshooting firewall problems in Windows 10are you having trouble with the built-in firewall in windows 10? so the following guidelines will help you quickly overcome those problems.
- Configure advanced firewall in Windows Server 2008 using the MMC snap-insince its inception, the windows server 2003 sp1 firewall has become the basic and necessary option for servers although it only blocks incoming attacks. in windows server 2008, the preinstalled firewall has been greatly upgraded. let's explore the new functions and how to configure the new firewall using the mmc snap-in.
- HOW TO INSTALL ISA SERVER ENTERPRISE 2000 - Part IIIhow to configure isa server to work with three types of isa clients: securenat client, web proxy client and firewall client. the instructions on how to configure isa server and differentiate different types of isa clients, which can be used according to different circumstances, can help the admin take advantage of isa and deploy properly with love. bridge on your organization's network system
- 10 free firewall software is most worthwhilewindows has a great integrated firewall, but do you know there are completely free and alternative firewall software that you can install? yes, there are many firewall software that are easier to use and have more features, options that are easier to understand than microsoft 's built - in firewall.
- Configure advanced firewall in Windows 2008 using NETSH CLIin the previous article, i introduced how to configure windows server 2008 advanced firewall using the mmc snap-in. in this article, i will show you how to configure the same windows 2008 server advanced firewall using the command line interface (cli) using the netsh utility. c & oacu
- Secure remote firewall system with SSHmost firewall systems integrate a web-based component that allows users to configure these firewall systems.
- Instructions to reset Windows Firewall Rules to the initial default statewindows firewall is built into the windows operating system, which is an important part of the security system. however, over time, more and more applications are passed on the firewall. fortunately, however, you can reset windows firewall to its original default settings.
- How to export or back up Windows Firewall ruleswhen you configure the firewall, it is important that you back up all windows firewall rules for safety and security. in this quick guide, tipsmake.com will show you the steps to back up windows firewall rules in windows 10.
- Configure Windows XP SP2 network protection technologies on a computer (Part III)email programs often use the hypertext markup language (html) feature to enhance the beauty and content of emails. however, the use of html caused two vulnerabilities for email.