This topic is designed to help you plan how to use Forefront TMG to protect your network against spam and viruses that enter your organization via electronic mail. Forefront TMG inspects mail traffic on route to Simple Mail Transfer Protocol (SMTP) servers, before the mail reaches user mailboxes.
The following sections describe:
- Utilizing Microsoft mail
- Layered protection
- Benefits of creating an
e-mail policy with Forefront TMG
Utilizing Microsoft mail protection technologies
Forefront TMG leverages the capabilities of the Exchange Edge Transport Server role and Forefront Protection 2010 for Exchange Server (FPES) to provide mail relay and anti-spam and antivirus protection. These two technologies include a variety of anti-spam and antivirus features that are designed to work cumulatively, to reduce the spam that enters and exits your organization.
When deploying the e-mail protection feature in Forefront TMG, you install Exchange Edge and FPES on the Forefront TMG computer. While these products can be installed independently on separate computers, installing them on Forefront TMG and implementing the e-mail protection feature provides a number of benefits, which are described in Benefits of creating an e-mail policy with Forefront TMG.
Because spammers or malicious senders use a variety of techniques, Forefront TMG implements a layered and multifaceted approach to reducing spam and viruses. The layered approach to reducing spam refers to the configuration of several anti-spam and antivirus features that filter inbound messages in a specific order. Each feature filters for a specific characteristic or set of related characteristics on the inbound message.
Benefits of creating an e-mail policy with Forefront TMG
There are a number of advantages to implementing e-mail protection with Forefront TMG:
- Protection on the edge—Forefront TMG’s e-mail
protection feature inspects mail traffic at the edge (the point of
entry into an enterprise’s core networks), as opposed to scanning
messages for viruses and other malware further along the mail flow
path, thus saving processing resources, bandwidth, and storage.
- Integrated management—When you create an
e-mail policy using Forefront TMG, you configure the settings in
the Forefront TMG Management console, and then Forefront TMG
applies your configuration to Exchange Edge and FPES. When using
this integrated management solution, you do not need to open the
management consoles of Exchange Edge or FPES (in fact, you should
not open them except for troubleshooting requirements).
Implementing e-mail protection consequently does not require
expertise in Exchange Edge and FPES.
- Extended management—Forefront TMG allows you
to deploy multiple servers in an array, and manage those servers
from a single interface. This is true for the e-mail protection
feature, which is a benefit not available to other Exchange and
FPES deployments. When you configure an e-mail policy with
Forefront TMG, the configuration settings are stored for the entire
array. Configuring e-mail policy is done once only, after which all
array members receive the configuration when they synchronize with
the configuration storage.
- Native support for Network Load Balancing
(NLB)—Using NLB and a virtual IP address, you can deploy more
Forefront TMG servers at a single point of entry, thereby
processing more mail traffic. Similarly, by deploying multiple
Forefront TMG servers, each running Exchange Edge and FPES, you can
more easily maintain a highly available and protected mail delivery
service for your organization.
Planning your deployment
When you plan to deploy e-mail protection in your organization, consider the following:
- Compile the following information before
deploying e-mail protection:
- The external IP address your organization
uses for inbound mail.
Note: A mail exchanger (MX) resource record for your domain must be registered on Internet DNS servers, and the MX record must point to the external IP address of Forefront TMG.
- The list of internal SMTP servers, with their
Note: If you have a Microsoft Exchange mail organization, your internal SMTP servers are the Hub Transport servers.
- The external IP address your organization uses for inbound mail.
- To keep your systems protected from the
latest threats, verify that Forefront TMG has connectivity to the
selected update source, Microsoft Update or Windows Server Update
Services (WSUS), and that automatic installation of the latest
signatures is enabled. For more information, see Planning for updates of
Deploying e-mail protection requires installing the Exchange Edge Transport role and FPES, as well as their associated prerequisites. It is recommended that you install these programs before installing Forefront TMG. Read Installing prerequisites for e-mail protection for installation instructions.