I have setup forefront TMG 2010 in a 3-legged environment. The internal network uses the 10.0.12.x network The DMZ uses the 172.16.10.x network The external is the Internet coming in via the ISP modem using the 192.168.1.x network The TMG is joined to the internal domain. The only server going to exist in the DMZ would be the EXCHANGE 2010 EDGE server. The remaining exchange servers, i.e. one server for cas/hub and two servers as mailbox servers in DAG are working fine on the internal network. I am able to use exchange, create mailboxes, send and receive email. I have the access rules configured to allow connectivity between the DMZ and INTERNAL network so far. I would like to know the steps required to publish the email online here onwards.

Hi Petr I know the procedure for deploying the edge server. Looking up on various posts on google, I have reached the conclusion that the edge server requires a lot of prior planning before deployment. Although I am confused if I might be missing out on something . I will try to mention the steps and doubts I have : I have already mentioned about how far I have reached with my deployment. Now I have to proceed with installing edge server and publishing it to the internet. I think I should start with installing the prerequisites for edge server, then the edge server role itself. Then do the create subscription file on edge server, and import it on to the internal HUB transport server which happens to be hosting both CAS and HUB role. Some of the posts I went through online require me to know my ISP Public IP so I can publish . Also to have Domain name registered . Further the SSL certificates if I intend to publish Outlook Anywhere. Getting the Public IP from ISP is just a matter of requesting through email. But I am not sure how many IPs do I exactly require. Havent done domain name registration before, so I am not sure if its just about going ahead and purchasing the name required, or if I am missing out something here. The SSL certificates require to mention all the URLs or names i.e. external email link, one of owa, one for activesync...I am not really sure how many names I would require and whats the best solution to this. I am further unable to get any document specifying what specific ports/protocols I need to enable between internal and DMZ network as well as External and DMZ network. Again, suppose I am done with the Edge server installation , what particular send/receive connectors do I need to configure, or would the default ones just work fine ? And lastly, publishing exchange through TMG 2010 is just about one rule, or more, as I stumble upon some posts that require multiple rules for owa, outlook anywhere, activesync, and client access for RPC, IMAP, SMTP, POP3 etc which is quite confusing to me. I understand its a lot of queries in one post. Any insight into the matter would be highly appreciated. Thanks$hAz@iB

Hi Petr I know the procedure for deploying the edge server. Looking up on various posts on google, I have reached the conclusion that the edge server requires a lot of prior planning before deployment. Although I am confused if I might be missing out on something . I will try to mention the steps and doubts I have : I have already mentioned about how far I have reached with my deployment. Now I have to proceed with installing edge server and publishing it to the internet. I think I should start with installing the prerequisites for edge server, then the edge server role itself. Then do the create subscription file on edge server, and import it on to the internal HUB transport server which happens to be hosting both CAS and HUB role. Some of the posts I went through online require me to know my ISP Public IP so I can publish . Also to have Domain name registered . Further the SSL certificates if I intend to publish Outlook Anywhere. Getting the Public IP from ISP is just a matter of requesting through email. But I am not sure how many IPs do I exactly require. Havent done domain name registration before, so I am not sure if its just about going ahead and purchasing the name required, or if I am missing out something here. The SSL certificates require to mention all the URLs or names i.e. external email link, one of owa, one for activesync...I am not really sure how many names I would require and whats the best solution to this. I am further unable to get any document specifying what specific ports/protocols I need to enable between internal and DMZ network as well as External and DMZ network. Again, suppose I am done with the Edge server installation , what particular send/receive connectors do I need to configure, or would the default ones just work fine ? And lastly, publishing exchange through TMG 2010 is just about one rule, or more, as I stumble upon some posts that require multiple rules for owa, outlook anywhere, activesync, and client access for RPC, IMAP, SMTP, POP3 etc which is quite confusing to me. I understand its a lot of queries in one post. Any insight into the matter would be highly appreciated. Thanks $hAz@iB Hi, if you have bigger organization it is better to use more public IP addresses, but if you have small one and you have not lot of money you can use one public IP. It´s better have the IP address dedicated only for the mail gateway and have other services (web services) "connected" with another IP. You have to set MX record to your external DNS-it will be the name of your EDGE server, because it will be published to the internet and also you have to open and forward the ports 25 (smtp) and 443 for the OWA and ActiveSync access. The certificate for OWA and ActiveSync - it is better use paid certificate (trusted ext.CA), but you can also use from your own CA - but it is limitation here-you have to publish this certificate to all devices such as mobile phones otherwise it will be presents as untrusted. You have to decide if you want to create the wildcard certificate (*.domain.suffix) or if you want to use only one external name for your web services e.g. mail.domain.suffix - I´m using only one ext. name for OWA and AS do I´m using mail.domain.suffix, but it depence of your organization requests... The EDGE server is gathering data from internal (Active Directory) via LDAP sync so you have to open 389 between them. You also need to create the Edge sync to have a communication between the EDGE and you internal HUB server. http://technet.microsoft.com/en-us/library/bb232082.aspx If you want to also use IMAP and POP3 you have to decide if you want to have them secured or not. More info about the ports: http://technet.microsoft.com/en-us/library/bb331973.aspx Petr Weiner

Thanks for the info Petr. I think a lot of information is causing all the confusion in my head. I'll keep you updated when i get started with the process. Thanks again. $hAz@iB