none
Forefront for Exchange 2010 and Forefront TMG

    Question

  • Hi,

    Sorry if I asked in wrong place.

    I'm trying to figure out how it works, the combination between Forefront for Exchange 2010, and role of Forefront TMG in this case. Can I install edge server role  in domain member server TMG, and use Forefront Security for Exchange  which come with TMG as a protection. And how it comes with licensing?

    Thank you
    alfa21
    Thursday, November 12, 2009 4:57 PM

Answers

  • Hi,

    if you want to use the mail protection of TMG you first have to install Exchange Edge and then Forefront Protection 2010 for Exchange. On Top you have to install TMG. TMG should be a domain member because of all the authetication mechanisms is has when it's in a domain.

    Licensing is easy :-)

    You have to license an Exchange Server used for the Edge role and then Forefront Protection for Exchange. If you have enterprise user-cals than Forefront Protection 2010 for Exchange is included in these cals. And at last the license of TMG per CPU in the server.

    Greetings

    Christian
    Christian Groebner MVP Forefront
    Thursday, November 12, 2009 10:08 PM
  • Hi,

    yes if you want to use the email protection of TMG you have to install Exchange Edge/Forefront for Exchange and TMG on the same machine.

    As far as I know the enterprise Cals of Exchange are good enough for both servers, but to be sure I would advice to call a licensing expert.

    The difference between Forefront for Exchange installed on an Edge and Mailbox Server is that on an Edge Server you can't scan the mailboxes and don't have the filtering options for mailboxes, that's because of Exchange Edge doesn't have an information store. I would recommend to set up different scan engines on both servers to be secure.

    Greetings

    Christian
    Christian Groebner MVP Forefront
    • Marked as answer by alfa21 Friday, November 13, 2009 10:23 AM
    Friday, November 13, 2009 9:51 AM

All replies

  • Hi,

    if you want to use the mail protection of TMG you first have to install Exchange Edge and then Forefront Protection 2010 for Exchange. On Top you have to install TMG. TMG should be a domain member because of all the authetication mechanisms is has when it's in a domain.

    Licensing is easy :-)

    You have to license an Exchange Server used for the Edge role and then Forefront Protection for Exchange. If you have enterprise user-cals than Forefront Protection 2010 for Exchange is included in these cals. And at last the license of TMG per CPU in the server.

    Greetings

    Christian
    Christian Groebner MVP Forefront
    Thursday, November 12, 2009 10:08 PM
  • Hi,

     

    Thank you for the post.

     

    I agree with Christian. And you may refer to the this link: http://technet.microsoft.com/en-us/library/ee338733.aspx

     

    Regards,


    Nick Gu - MSFT
    Friday, November 13, 2009 3:03 AM
  • Thank you for this very valuable information. Only some clarifications more about installation, and licensing.

    So it means, installing Edge on TMG,  I don't need extra server only for Edge, like it was case with Exchange 2007. My organization is small around 250 users, not to much load.

    About licensing, does it mean, that both Forefront Protection 2010 for Exchange installed on Exchange server, and Forefront installed in TMG can be licensed through enterprise user-cals. Is there any difference between them in regards to scanning, or they are installed only as protection in two different places.

    Thank you for you support.


    alfa21
    Friday, November 13, 2009 8:08 AM
  • Hi,

    yes if you want to use the email protection of TMG you have to install Exchange Edge/Forefront for Exchange and TMG on the same machine.

    As far as I know the enterprise Cals of Exchange are good enough for both servers, but to be sure I would advice to call a licensing expert.

    The difference between Forefront for Exchange installed on an Edge and Mailbox Server is that on an Edge Server you can't scan the mailboxes and don't have the filtering options for mailboxes, that's because of Exchange Edge doesn't have an information store. I would recommend to set up different scan engines on both servers to be secure.

    Greetings

    Christian
    Christian Groebner MVP Forefront
    • Marked as answer by alfa21 Friday, November 13, 2009 10:23 AM
    Friday, November 13, 2009 9:51 AM


  • If i install TMG as well Edge role in a workgroup and establish edge sync subscription. Will i also be able to give user based permissions on rest of TMG/ISA ?

    Agreed that i will not have all the authentication mechanisms. But let's support we don't prefer it over having a machine in workgroup ?

    Friday, November 20, 2009 10:53 PM
  • Hi,

    if you have TMG/ISA in a workgroup then you can do only authentication with RADIUS for outbound traffic and additional LDAP for publishing. Everytime the user opens the browser he will be asked for credentials because integrated authentication is not working. So my adive would be put TMG/ISA in the domain.

    Btw. all my ISA/TMG installations have been in a domain. In my eyes TMG/ISA gives me more securit in a domain than in a workgroup.

    Greetings

    Christian
    Christian Groebner MVP Forefront
    Saturday, November 21, 2009 9:32 AM
  • Hi Christian,

    Sorry to add up on this thread.. But i guess i need some info since i was tasked to research on forefront TMG 2010.

    Our company wants to restrict OWA usage to internal and allow to be used externally to some users only. i have read in some posts that this can only be achieved if we use TMG. is this possible?

    Thanks

    Tuesday, February 26, 2013 8:50 PM
  • Hi,

    check my answer in the following thread:

    http://social.technet.microsoft.com/Forums/en-US/FSENext/thread/0c9996dc-c081-42bf-94e1-d286297015a2

    Greetings

    Christian


    Christian Groebner MVP Forefront

    Tuesday, February 26, 2013 9:25 PM