I have setup forefront TMG 2010 in a 3-legged environment. The internal network uses the 10.0.12.x network The DMZ uses the 172.16.10.x network The external is the Internet coming in via the ISP modem using the 192.168.1.x network The TMG is joined to the internal domain. The only server going to exist in the DMZ would be the EXCHANGE 2010 EDGE server. The remaining exchange servers, i.e. one server for cas/hub and two servers as mailbox servers in DAG are working fine on the internal network. I am able to use exchange, create mailboxes, send and receive email. I have the access rules configured to allow connectivity between the DMZ and INTERNAL network so far. I would like to know the steps required to publish the email online here onwards.

Hi Petr I know the procedure for deploying the edge server. Looking up on various posts on google, I have reached the conclusion that the edge server requires a lot of prior planning before deployment. Although I am confused if I might be missing out on something . I will try to mention the steps and doubts I have : I have already mentioned about how far I have reached with my deployment. Now I have to proceed with installing edge server and publishing it to the internet. I think I should start with installing the prerequisites for edge server, then the edge server role itself. Then do the create subscription file on edge server, and import it on to the internal HUB transport server which happens to be hosting both CAS and HUB role. Some of the posts I went through online require me to know my ISP Public IP so I can publish . Also to have Domain name registered . Further the SSL certificates if I intend to publish Outlook Anywhere. Getting the Public IP from ISP is just a matter of requesting through email. But I am not sure how many IPs do I exactly require. Havent done domain name registration before, so I am not sure if its just about going ahead and purchasing the name required, or if I am missing out something here. The SSL certificates require to mention all the URLs or names i.e. external email link, one of owa, one for activesync...I am not really sure how many names I would require and whats the best solution to this. I am further unable to get any document specifying what specific ports/protocols I need to enable between internal and DMZ network as well as External and DMZ network. Again, suppose I am done with the Edge server installation , what particular send/receive connectors do I need to configure, or would the default ones just work fine ? And lastly, publishing exchange through TMG 2010 is just about one rule, or more, as I stumble upon some posts that require multiple rules for owa, outlook anywhere, activesync, and client access for RPC, IMAP, SMTP, POP3 etc which is quite confusing to me. I understand its a lot of queries in one post. Any insight into the matter would be highly appreciated. Thanks$hAz@iB

Hi Petr I know the procedure for deploying the edge server. Looking up on various posts on google, I have reached the conclusion that the edge server requires a lot of prior planning before deployment. Although I am confused if I might be missing out on something . I will try to mention the steps and doubts I have : I have already mentioned about how far I have reached with my deployment. Now I have to proceed with installing edge server and publishing it to the internet. I think I should start with installing the prerequisites for edge server, then the edge server role itself. Then do the create subscription file on edge server, and import it on to the internal HUB transport server which happens to be hosting both CAS and HUB role. Some of the posts I went through online require me to know my ISP Public IP so I can publish . Also to have Domain name registered . Further the SSL certificates if I intend to publish Outlook Anywhere. Getting the Public IP from ISP is just a matter of requesting through email. But I am not sure how many IPs do I exactly require. Havent done domain name registration before, so I am not sure if its just about going ahead and purchasing the name required, or if I am missing out something here. The SSL certificates require to mention all the URLs or names i.e. external email link, one of owa, one for activesync...I am not really sure how many names I would require and whats the best solution to this. I am further unable to get any document specifying what specific ports/protocols I need to enable between internal and DMZ network as well as External and DMZ network. Again, suppose I am done with the Edge server installation , what particular send/receive connectors do I need to configure, or would the default ones just work fine ? And lastly, publishing exchange through TMG 2010 is just about one rule, or more, as I stumble upon some posts that require multiple rules for owa, outlook anywhere, activesync, and client access for RPC, IMAP, SMTP, POP3 etc which is quite confusing to me. I understand its a lot of queries in one post. Any insight into the matter would be highly appreciated. Thanks $hAz@iB Hi, if you have bigger organization it is better to use more public IP addresses, but if you have small one and you have not lot of money you can use one public IP. It´s better have the IP address dedicated only for the mail gateway and have other services (web services) "connected" with another IP. You have to set MX record to your external DNS-it will be the name of your EDGE server, because it will be published to the internet and also you have to open and forward the ports 25 (smtp) and 443 for the OWA and ActiveSync access. The certificate for OWA and ActiveSync - it is better use paid certificate (trusted ext.CA), but you can also use from your own CA - but it is limitation here-you have to publish this certificate to all devices such as mobile phones otherwise it will be presents as untrusted. You have to decide if you want to create the wildcard certificate (*.domain.suffix) or if you want to use only one external name for your web services e.g. mail.domain.suffix - I´m using only one ext. name for OWA and AS do I´m using mail.domain.suffix, but it depence of your organization requests... The EDGE server is gathering data from internal (Active Directory) via LDAP sync so you have to open 389 between them. You also need to create the Edge sync to have a communication between the EDGE and you internal HUB server. http://technet.microsoft.com/en-us/library/bb232082.aspx If you want to also use IMAP and POP3 you have to decide if you want to have them secured or not. More info about the ports: http://technet.microsoft.com/en-us/library/bb331973.aspx Petr Weiner

Thanks for the info Petr. I think a lot of information is causing all the confusion in my head. I'll keep you updated when i get started with the process. Thanks again. $hAz@iB

Hi Maybe this post can help you? http://www.testlabs.se/blog/2010/07/27/how-to-publish-owaactivesyncoutlook-anywhere-exchange-2010-with-microsoft-forefront-tmg-2/ Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82

Hi Jonas Thanks for the link. But I am still lagging behind. As I started off from the scratch, so far I have managed to setup the internal network with a server having CAS/HUB role, two servers for MAILBOX role in DAG environment, and the mails are working fine internally. Then I got to setup TMG in a 3-leg perimeter setup, with the Exchange EDGE server being placed in DMZ. I was having couple of issues getting the server in DMZ to communicate with the internal network and Internet . Now I have managed to install the Exchange edge server role , and have succeeded so far in performing the Edge subscription, and importing it to the Hub transport server. If i send a mail now from the internal network , suppose to Gmail or Hotmail, I see the messages showing up in Queues on the Edge server. But the mails never arrive. Points to be noted : I still do not have the domain name registered. I do not have the SSL certificates yet. I would like to try it first working by the public IP assigned by the ISP. Is this even possible or not ? I think atleast it should be able to send mail, obviously, I wouldnt be able to receive any because of no MX records. Or is it possible, if someone replies to an email I already sent, would it come back via the IP address? Further, I am not sure if it would be a good idea to request the ISP to enter MX records in their DNS. |Even, Would they ? The send/receive connectors are the default that get created once you do the edge subscription process. from here, I suppose my next step would be to be able to successfully send an email over internet. $hAz@iB

I have a doubt here. Since I have a 3-leg perimeter setup for TMG, when I m trying to publish exchange using TMG, the internal URL i provide is that of the internal CAS/Hub server. Doesnt this imply that the requests would come in directly to my internal server , and not the edge server in the DMZ??$hAz@iB

The EDGE would need two network card. One connected to the internal and another to the DMZ. The Hub Transport will be sending/receiving the internet emails (for SMTP only) via the internal network card of the Exchange Edge role server. The CAS is purely for web related traffic. This would be for 1) Outlook Anywhere/Autodiscver, 2) Outlook Web App) and 3) Active Sync for a start. The certficate you get from commercial CA (e.g. ENTRUST) will be for the CAS server. Once this cert is installed on the CAS server, export the cert with the private key and install the cert on the TMG. When installing the cert on the TMG select "private cannot be exported). At this point your TMG can now pretend to be the CAS for the initial authenticatoin using Form Based Authentication. On the external DNS there needs to be one A record and one MX record. So for example you can create a A record 192.168.1.111 for USMAIL.COMPANY.COM. The MX record will be for the COMPANY.COM domain and will point to the A record. For configuring TMG, you need only one web listener for 3 rules for CAS. The 3 rules are for Outlook Web App, Outlook Anywhere =/Autodiscover and ActiveSync. One thing to make sure you have configured the traffic coming and going to / from the EDGE uses the same public IP you configured the A record for USMAIL.COMPANY.COM Hope that helps. Sarbjit Gill