Subscribing the Edge Transport Server to the Exchange Organization

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

If you are using a Microsoft Exchange messaging organization, you can subscribe the Edge Transport server installed on Forefront TMG to the Microsoft Exchange Server organization. An Edge Subscription creates a secure connection from the Hub Transport servers (on which configuration and directory information is stored in the Exchange organization) to the Edge Transport server role.

This topic describes:

  • Edge Transport server role

  • Advantages of an Edge Subscription

  • About the Microsoft Exchange EdgeSync service

  • About Replication Data

  • Configuring an Edge Subscription

Edge Transport server role

Designed to minimize the attack surface, the Edge Transport server handles all Internet-facing mail flow, and provides Simple Mail Transfer Protocol (SMTP) relay and smart host services for the Exchange organization. Additional layers of message protection and security are provided by a series of agents that run on the Edge Transport server, and act on messages as they are processed by the message transport components. These agents support the features that provide protection against viruses and spam, and apply transport rules to control message flow.

Advantages of an Edge Subscription

Creating an Edge Subscription establishes secure, automatic replication of directory and other information from the Exchange organization to the Edge Transport servers. Routing and accepted domain configuration that was controlled directly on the Edge Transport server is now configured on the Hub Transport server.

Although creating an Edge Subscription is optional, subscribing an Edge Transport server to the Exchange organization enhances the available anti-spam features. You must create an Edge Subscription if you plan to use the anti-spam features, recipient lookup or safelist aggregation, or if you plan to help secure SMTP communications with partner domains, by using mutual Transport Layer Security (TLS).

For more information about Edge Subscriptions, see the following:

Exchange 2007 Exchange 2010

Understanding Edge Subscriptions

Understanding Edge Subscriptions

About the Microsoft Exchange EdgeSync service

The Microsoft Exchange EdgeSync service that runs on the Hub Transport server performs periodic one-way synchronization to transfer this data to the Edge Transport servers and keep them updated. The Microsoft Exchange EdgeSync service copies only the information that is required for the Edge Transport servers to perform anti-spam configuration tasks, and configuration information that enables mail flow between the Exchange organization's Hub Transport servers and the Internet, through the Edge Transport servers. This process reduces the administration that you must perform in the perimeter network, by letting you perform the required configuration on the Hub Transport server role and write that information to the Edge Transport servers.

For more information about EdgeSync, see the following:

Exchange 2007 Exchange 2010

Understanding the EdgeSync Synchronization Process

Understanding the EdgeSync Synchronization Process

About Replication Data

Data that is sent to AD LDS from Active Directory is sent over an encrypted channel using a Secure Lightweight Directory Access Protocol (Secure LDAP) connection. In addition, the Safe Senders lists and recipient information is hashed to protect the privacy of the data. The Microsoft Exchange EdgeSync service replicates the following types of data from Active Directory to AD LDS:

  • Edge Subscription information.

  • Configuration information.

  • Recipient information.

  • Topology information.

For a complete description of these data types and how they are used by the Edge Transport server, see the following:.

Exchange Server 2007 Exchange Server 2010

EdgeSync Replication Data

EdgeSync Replication Data

Configuring an Edge Subscription

The following procedures provide instructions on how to subscribe the Edge Transport server installed on Forefront TMG:

  1. Preparing to run the Microsoft Exchange EdgeSync service

  2. Enabling connectivity for EdgeSync traffic

  3. Exporting Edge Subscription files

  4. Creating an Edge Subscription

    Note

    When you export the Edge Subscription files, you have 24 hours to complete the Edge Subscription process inside the organization. Otherwise you will need to export the files again.

  5. Verify that synchronization is completed successfully by inspecting MsExchange EdgeSync events in the Application log in Event Viewer.

    Important

    Edge Subscription files are written in clear text. You must protect these files throughout the subscription process. After the Edge Subscription file is imported to a Hub Transport server, you should immediately delete the Edge Subscription file from the Forefront TMG server, the Hub Transport server, and any removable media.

Next Steps

Preparing to run the Microsoft Exchange EdgeSync service

Tasks

Installing prerequisites for e-mail protection

Concepts

Planning to protect against e-mail threats
Configuring protection from e-mail-based threats