Planning to protect against e-mail threats
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic is designed to help you plan how to use Forefront TMG to protect your network against spam and viruses that enter your organization via electronic mail. Forefront TMG inspects mail traffic on route to Simple Mail Transfer Protocol (SMTP) servers, before the mail reaches user mailboxes.
The following sections describe:
Utilizing Microsoft mail protection technologies
Layered protection
Benefits of creating an e-mail policy with Forefront TMG
Deployment considerations
Next steps
Utilizing Microsoft mail protection technologies
Forefront TMG leverages the capabilities of the Exchange Edge Transport Server role and Forefront Protection 2010 for Exchange Server (FPES) to provide mail relay and anti-spam and antivirus protection. These two technologies include a variety of anti-spam and antivirus features that are designed to work cumulatively, to reduce the spam that enters and exits your organization.
When deploying the e-mail protection feature in Forefront TMG, you install Exchange Edge and FPES on the Forefront TMG computer. While these products can be installed independently on separate computers, installing them on Forefront TMG and implementing the e-mail protection feature provides a number of benefits, which are described in Benefits of creating an e-mail policy with Forefront TMG.
Layered protection
Because spammers or malicious senders use a variety of techniques, Forefront TMG implements a layered and multifaceted approach to reducing spam and viruses. The layered approach to reducing spam refers to the configuration of several anti-spam and antivirus features that filter inbound messages in a specific order. Each feature filters for a specific characteristic or set of related characteristics on the inbound message.
Benefits of creating an e-mail policy with Forefront TMG
There are a number of advantages to implementing e-mail protection with Forefront TMG:
Protection on the edge—The Forefront TMG e-mail protection feature inspects mail traffic at the edge (the point of entry into an enterprise’s core networks), as opposed to scanning messages for viruses and other malware further along the mail flow path, thus saving processing resources, bandwidth, and storage.
Integrated management—When you create an e-mail policy using Forefront TMG, you configure the settings in the Forefront TMG Management console, and then Forefront TMG applies your configuration to Exchange Edge and FPES. When using this integrated management solution, you do not need to open the management consoles of Exchange Edge or FPES (in fact, you should not open them except for troubleshooting requirements). Implementing e-mail protection consequently does not require expertise in Exchange Edge and FPES.
Extended management—Forefront TMG allows you to deploy multiple servers in an array, and manage those servers from a single interface. This is true for the e-mail protection feature, which is a benefit not available to other Exchange and FPES deployments. When you configure an e-mail policy with Forefront TMG, the configuration settings are stored for the entire array. Configuring e-mail policy is done once only, after which all array members receive the configuration when they synchronize with the configuration storage.
Native support for Network Load Balancing (NLB)—Using NLB and a virtual IP address, you can deploy more Forefront TMG servers at a single point of entry, thereby processing more mail traffic. Similarly, by deploying multiple Forefront TMG servers, each running Exchange Edge and FPES, you can more easily maintain a highly available and protected mail delivery service for your organization.
Deployment considerations
When you plan to deploy e-mail protection in your organization, consider the following:
Compile the following information before deploying e-mail protection:
The external IP address your organization uses for inbound mail.
Note
A mail exchanger (MX) resource record for your domain must be registered on Internet DNS servers, and the MX record must point to the external IP address of Forefront TMG.
The list of internal SMTP servers, with their IP addresses.
Note
If you have a Microsoft Exchange mail organization, your internal SMTP servers are the Hub Transport servers.
To keep your systems protected from the latest threats, verify that Forefront TMG has connectivity to the selected update source, Microsoft Update or Windows Server Update Services (WSUS), and that automatic installation of the latest signatures is enabled. For more information, see Planning for updates of protection definitions.
After completing the installation, it is recommended that you back up the configuration and store the backup file in a secure location. This may be useful for troubleshooting e-mail protection issues in the future, and will allow you to revert to the original configuration if necessary. You should do this for each member of the array.
If you implement e-mail protection with Microsoft Forefront Protection 2010 for Exchange Server, and the Forefront TMG HTTPS inspection feature is enabled, you must enable the download of Cloudmark antispam engine definitions updates to the Forefront TMG server. Because the Cloudmark download site uses a self-signed certificate, and Forefront TMG HTTPS inspection does not support the inspection of self-signed certificates, you must exclude the site the from HTTPS inspection. For information, see Excluding sources and destinations from HTTPS inspection.
Next steps
Deploying e-mail protection requires installing the Exchange Edge Transport role and FPES, as well as their associated prerequisites. It is recommended that you install these programs before installing Forefront TMG. Read Installing prerequisites for e-mail protection for installation instructions.
Related Topics
Tasks
Installing prerequisites for e-mail protection
Concepts
Protection design guide for Forefront TMG
Planning for updates of protection definitions
Configuring protection from e-mail-based threats