Forefront TMG and Exchange on the SAME Server

March 26, 2010

in Exchange, Forefront, Microsoft

With ISA, configuring protection for Exchange remote services required the use of a second servers for ISA.  More servers were required for high availability.  In a true HA environment a company would be looking at four or more servers.  ISA would only protect services such as Outlook Anywhere, OWA, POP, IMAP and so on.  SMTP protection still needed to be configured and managed on the Exchange Edge services.  This setup often required the use of three different management consoles and in large environments, was a lot of work to manage.

With the introduction of Forefront Threat Management Gateway 2010, you can now install Exchange, FPES (Forefront Protection for Exchange Server) and TMG on the same computer.  Management of the Exchange, FPES  and TMG services are all integrated into the TMG Management console greatly reducing management overhead.

Now if you missed that.  Exchange, FPES and TMG can now be installed onto the SAME server.

Here are some of the benefits:
  • Protection on the edge — The Forefront TMG e-mail protection feature inspects mail traffic at the edge (the point of entry into an enterprise’s core networks), as opposed to scanning messages for viruses and other malware further along the mail flow path, thus saving processing resources, bandwidth, and storage.
  • Integrated management — When you create an e-mail policy using Forefront TMG, you configure the settings in the Forefront TMG Management console, and then Forefront TMG applies your configuration to Exchange Edge and FPES. When using this integrated management solution, you do not need to open the management consoles of Exchange Edge or FPES (in fact, you should not open them except for troubleshooting requirements). Implementing e-mail protection consequently does not require expertise in Exchange Edge and FPES.
  • Extended management — Forefront TMG allows you to deploy multiple servers in an array, and manage those servers from a single interface. This is true for the e-mail protection feature, which is a benefit not available to other Exchange and FPES deployments. When you configure an e-mail policy with Forefront TMG, the configuration settings are stored for the entire array. Configuring e-mail policy is done once only, after which all array members receive the configuration when they synchronize with the configuration storage.
  • Native support for Network Load Balancing (NLB) — Using NLB and a virtual IP address, you can deploy more Forefront TMG servers at a single point of entry, thereby processing more mail traffic. Similarly, by deploying multiple Forefront TMG servers, each running Exchange Edge and FPES, you can more easily maintain a highly available and protected mail delivery service for your organization.
MS recommends installation in the following order:
  1. Install Active Directory Lightweight Directory Services
  2. Install the Exchange Edge Transport role
  3. Install Forefront Protection 2010 for Exchange Server
  4. Install Forefront TMG

For more information on planning to protect against e-mail threats click here…

For installation prerequisites for e-mail protection click here…

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
leopold November 4, 2010 at 1:38 am

thanks for your post I have somes about TMG the first question is
Can I still use my TGM server as proxy web on my LAN or this is only for Edge configuration
the second question is do I add the server do my domain?

thanks in advance