Forefront TMG 2010: Publishing Exchange server 2010

To ensure that every Exchange client access mail securely from anywhere (internally and externally) Exchange deployment published through Forefront TMG 2010. you need to plan and deploy the different roles of Exchange Server which includes Exchange HT, CAS, ET and Mailbox and publish in Forefront TMG 2010. The main purpose of these deployment is to improve performance for client access, secure client access and encourage utilization of best practices of Exchange, TMG, and the Exchange clients (Microsoft Outlook) involved. There are few consideration you must take into account such as placing of server in different network segments. Create proper policies in TMG to allow https, POP3, IMAP, SMTP traffic securely to Microsoft Mail clients. In the following figure, I have illustrated a typical Exchange 2010 design that include Forefront TMG 2010.


Client Access

Allowing client access, you need to understand and plan what client access methods you need to make available on the Internet for your end users. Users with laptops can either use Outlook Web Access (OWA), which is lightweight and available via a Web browser to access
their mailboxes, or they can use RPC over HTTP over the Internet to check e-mail via Microsoft Outlook. Of course users with mobile devices capable of ActiveSync can access their mailboxes using Exchange Active Sync (EAS). When the administrator has decided which client access methods need to be made available, access to certain folders needs to be allowed through TMG. This is done via the Exchange Publishing Wizard, which is discussed in the next section. the default paths configured after running the New Exchange Publishing Wizard.

Outlook Web Access





RPC over http


Outlook Mobile Access

Not Supported

Exchange Active Sync


Outlook Anywhere





Enterprise Root CA

When you publish Exchange client access with TMG, communications from external clients and from TMG itself to the published server can be encrypted using Secure Sockets Layer (SSL). Certain authentication mechanisms, such as Basic Authentication, allow user credentials
to be sent in clear text over the wire. This can be potentially unsafe if anyone runs a network sniffer over the wire and can therefore see user names and passwords. Hence it is essential to ensure that traffic is encrypted using SSL. By using certificates, we can analyze the session at
TMG before we forward it to the published Exchange Server by terminating the connection at the TMG. This is known as SSL bridging. SSL bridging protects against attacks that are hidden in SSL-encrypted connections. For SSL-enabled Web applications, TMG decrypts the client’s request, inspects it, and terminates the SSL connection with the client computer. The Web Publishing rules determine how TMG communicates the request for the object to the published Exchange server. If the secure Exchange publishing rule is configured to
forward the request using Secure HTTP (HTTPS), TMG initiates a new SSL connection with the published server. Because TMG is now an SSL client, it requires the published Web server to respond with a server-side certificate.


TMG has a custom form for the Outlook Web Access client that is preconfigured when you use the Exchange publishing wizard. Using forms-based authentication, you can enforce required authentication methods, enable two-factor authentication, and provide centralized logging. After a user is authenticated, TMG can then delegate the credentials as per the configuration on the rule to the Exchange Server. It is important to ensure that the credentials being delegated should be in the same form as expected by the Exchange Server. In the event
of an authentication mismatch, client access fails and a credential delegation alert is logged by TMG.

Authentication Method Access Method
Microsoft Active Directory 2008
LDAP (Active Directory)

Outlook Web Access
Outlook Anywhere
Microsoft ActiveSync (only basic Authentication)


Outlook Web Access
Microsoft ActiveSync
(requires RSA SecurID
component installed
on Exchange servers)

Outlook Web Access

When a Web client connects to an Outlook Web Access
Exchange Server front-end server, it loads the Outlook Web page that contains the user- interface icons and headers of messages currently in the mailbox. Subsequently, any operation that the user performs (such as Open, Send, or Move To Folder) generates a new HTTP connection that transfers an average of 10 to 20 KB. When accumulating the behaviour of Outlook Web Access over many users, the Web client
typically creates relatively low bits per connection value (such as 100 kilobits per connection).  This traffic profile is relatively light and is distinguished by only two TCP connections, with a request rate corresponding to the user’s e-mail activity. Because this client is browser-based, it’s much less likely to produce error states as a normal course of events as does the Outlook

RPC over HTTP  or Outlook Anywhere

RPC over HTTP enables Outlook clients to access an Exchange
server in the internal corporate network from the Internet. When connecting to Exchange Server, an Outlook client working in Cached Exchange Mode typically starts with a synchronization of mailbox content with a local cache file by opening up anywhere between 10 to 15 connections to TMG. This behaviour is by default. After the
synchronization is complete, intermittent connections occur, in which new messages are transferred. The Outlook client would, however, maintain about 10 connections with TMG after it is connected. For a user utilizing Outlook heavily, the synchronization operation transfers many bytes of data over a small number of connections, so the overall characteristic bits per connection value is rather high (such as 500 kilobits per connection). 
Also known as RPC over HTTP, this traffic profile is the noisiest of all Exchange clients. It imposes a combination of high connection count (can be 20 or more separate TCP connections) with a higher data rate also coincident with the user activity.

Exchange Active Sync or Outlook Mobile Access

This traffic profile is the lightest client of all, with only one TCP connection and very light traffic flow. A new HTTP connection is only made when a user performs an operation such as Open, Send, or Move To Folder.

Relevant Articles

Exchange Server 2010: Server Roles

How to configure Exchange 2010 Hub Transport (HT) Server

How to configure Exchange 2010 Client Access Server (CAS) Role

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

share this Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , . Bookmark the permalink.

3 Responses to Forefront TMG 2010: Publishing Exchange server 2010

  1. Pingback: How to publish Exchange Anywhere in Forefront TMG 2010 « Information Technology Blog

  2. Pingback: How to Configure Back-to-Back Firewall with Perimeter (DMZ) Topology—–Step by Step Guide « Information Technology Blog

  3. John Che says:

    hi Raihan,

    Is the ip address of External NIC of TMG public IP in this senario?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s