The Edge Subscription is a relationship between an Edge Transport server and an Active Directory site, and allows the Edge Transport server to receive information about the Exchange organization such as recipients, domain names, and safelists/blocklists for anti-spam.

This information is synchronized at regular intervals through a process called EdgeSync.

Firewall Ports for Exchange Server 2010 Edge Transport Servers

For EdgeSync and mail flow to work there are a few network ports that need to be open on the firewall between the Internet, the Edge Transport server, and the internal Hub Transport server.

Edge Transport Server Network Ports for EdgeSync

• Secure LDAP (TCP 50636) from the Hub Transport server to the Edge Transport server

Edge Transport Server Network Ports for Mail Flow

• SMTP (TCP 25) from the Internet to the Edge Transport server
• SMTP (TCP 25) from the Edge Transport server to the Hub Transport server
• SMTP (TCP 25) from the Hub Transport server to the Edge Transport server
• DNS (UDP 53) from the Edge Transport server to a DNS server capable of public DNS lookups (ie to look up MX records)

Configuring ISA Server 2006 for Edge Transport Servers

If you are using ISA Server 2006 as your firewall and want to create the access rules for the Edge Transport server the first thing you’ll need to configure is a new network protocol for the secure LDAP connection. ISA Server 2006 is pre-configured with a secure LDAP protocol however the EdgeSync process uses the non-standard port of TCP 50636.

Create a new network protocol named “EdgeSync” for TCP 50636 outbound.

Configure the ISA Server 2006 firewall policy with access rules for the Edge Transport network access required.

Creating the Edge Subscription for Exchange Server 2010 Edge Transport Servers

With the firewall access all configured correctly the next step is to configure the Edge Subscription itself.

On the Edge Transport server open the Exchange Management Shell and run the following command using the New-EdgeSubscription cmdlet.

[PS] C:\>New-EdgeSubscription -FileName C:\edgesubscription.xml

Confirm
If you create an Edge Subscription, this Edge Transport server will be managed via EdgeSync replication. As a result,
any of the following objects that were created manually will be deleted: accepted domains, message classifications,
remote domains, and Send connectors. After creating the Edge Subscription, you must manage these objects from inside
the organization and allow EdgeSync to update the Edge Transport server. Also, the InternalSMTPServers list of the
TransportConfig object will be overwritten during the synchronization process.
 EdgeSync requires that this Edge Transport server is able to resolve the FQDN of the Hub Transport servers in the
Active Directory site to which the Edge Transport server is being subscribed, and those Hub Transport servers be able
to resolve the FQDN of this Edge Transport server. You should complete the Edge Subscription inside the organization in
 the next "1440" minutes before the bootstrap account expires.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

There are two important things to be aware of here:

• You must complete the next step of the Edge Subscription process within 1440 minutes (24 hours), otherwise you’ll need to generate a new Edge Subscription again
• The Hub Transport servers in the Active Directory site that will be subscribed must be able to resolve the FQDN of the Edge Transport server. You can either add DNS records manually or use a HOSTS file entry.

Copy the “edgesubscription.xml” file to the Hub Transport server. Launch the Exchange Management Console and navigate to Organization Management/Hub Transport.

In the Actions pane click on New Edge Subscription.

Browse and select the Active Directory site to be subscribed, as well as the XML file that you copied from the Edge Transport server.

Click the New button to complete the wizard.

After the Edge Subscription has been created you will see two Send Connectors configured for your organization.

It can take up to an hour before the first Edge synchronization process runs, but you can run it manually if you need to. On the Hub Transport server launch the Exchange Management Shell and run the following command using the Start-EdgeSynchronization cmdlet.

[PS] C:\>Start-EdgeSynchronization -Server esp-ho-ex2010a

RunspaceId     : b7415ae2-f763-449e-bb36-20a6a18759cd
Result         : Success
Type           : Configuration
Name           : esp-ho-ex2010e
FailureDetails :
StartUTC       : 5/7/2011 1:27:39 PM
EndUTC         : 5/7/2011 1:28:07 PM
Added          : 290
Deleted        : 0
Updated        : 0
Scanned        : 295
TargetScanned  : 0

RunspaceId     : b7415ae2-f763-449e-bb36-20a6a18759cd
Result         : Success
Type           : Recipients
Name           : esp-ho-ex2010e
FailureDetails :
StartUTC       : 5/7/2011 1:27:39 PM
EndUTC         : 5/7/2011 1:28:08 PM
Added          : 401
Deleted        : 0
Updated        : 0
Scanned        : 401
TargetScanned  : 0

After the initial Edge synchronization has occurred you will be able to see the Send Connectors and Accepted Domains configured on the Edge Transport server.

Testing Mail Flow

After the Edge Subscription is in place and you’ve synchronized at least once you can send email between your Exchange organization and an external mailbox, and then inspect the email message headers to verify that the messages are traversing your Edge Transport server.

Received: from esp-ho-ex2010e.exchangeserverpro.net (10.0.3.2) by
 esp-ho-ex2010a.exchangeserverpro.net (10.0.1.4) with Microsoft SMTP Server
 (TLS) id 14.1.289.1; Sat, 7 May 2011 23:50:10 +1000
Received: from (192.168.0.45) by esp-ho-ex2010e.exchangeserverpro.net
 (10.0.3.2) with Microsoft SMTP Server id 14.1.218.12; Sat, 7 May 2011
 23:50:07 +1000
MIME-Version: 1.0
Content-Type: text/plain

Related posts:

• Avoiding Infinite Loops with Internal Relay Domains in Exchange 2007/2010
• Exchange 2007/2010 Transport Rule Logging
• Exchange 2010 Edge Transport Server: Configuring IP Block List Providers
• Installing an Exchange Server 2010 Edge Transport Server
• Exchange 2010 Edge Transport Server Introduction

This article Exchange 2010 Edge Transport Server: Configuring EdgeSync is © 2011 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

• A public DNS name for Outlook Web App (in this example mail.exchangeserverpro.net is used)
• An ISA Server 2006 (with Service Pack 1) firewall configured with an external interface and IP address corresponding to the above DNS record
• An SSL certificate for Exchange Server 2010
• Exchange 2010 Client Access and Mailbox servers deployed in the organization

This diagram provides an overview of how Outlook Web App is published using ISA Server 2006.  The remote user makes a connection over HTTPS (SSL) to the ISA firewall, which then reverse proxies the traffic over SSL to the Client Access server.  The Client Access server is then responsible for proxying the requests for the user’s mailbox to the appropriate Mailbox server using RPC connections.

Configuring the Exchange 2010 Client Access Server

In this example the /OWA virtual directory on the Client Access server is configured for both Basic and Integrated authentication.  This combination allows internal, domain-joined computers to seamlessly log on to Outlook Web App while also permitting the ISA server to use Basic delegation to authenticate the remote user.

For more details see this article on how to configure Outlook Web App authentication.

The Client Access server /OWA virtual directory has also been configured with the external URL to match the public DNS name.

The Client Access server also needs to be configured with an SSL certificate.  Preferably this SSL certificate is from a public certificate authority but it can also be a private CA, as long as it is one that the ISA server trusts so that ISA considers the certificate to be valid.  You can of course import root certificates to make just about any certificate trusted by ISA but it is less effort and a better overall solution to use a public CA.

Configuring the ISA Server SSL Certificate

The ISA server needs to be configured with an SSL certificate to accept the secure remote access connections.  Although you can issue the server with its own certificate for this purpose you could also export the SSL certificate from the Client Access server and import it to the ISA server, provided that the license terms your issuing CA allow for that.  Digicert is an example of a CA that allows certificates to be installed on multiple servers.

For more details see this article on exporting an SSL certificate from Exchange 2010 (note that it refers to importing it for Exchange 2003 but the steps are the same for importing to an ISA Server 2006 firewall running on Windows Server 2003).

Configuring the ISA Server Publishing Rule for Outlook Web App

In the ISA Server Management console right-click the Firewall Policy and choose New -> Exchange Web Client Access Publishing Rule.

Give the new rule a name and click Next to continue.

Set the Exchange version to Exchange Server 2007 (yes this is correct for Exchange 2010 publishing) and tick the box for Outlook Web Access, then click Next to continue.

In this case a single server is being published. Click Next to continue.

Enter the internal site name for OWA (in this case mail.exchangeserverpro.net), and optionally enter a computer name or IP address for ISA to connect to if the internal site name does not resolve in the internal DNS zone.  Click Next to continue.

Configure the public names that this rule should accept connections for and click Next to continue.

Now we need to configure a web listener to accept the remote user connections.  Click on the New button.

Give the new web listener a name and click Next to continue.

Leave the default choice to require SSL and click Next to continue.

Select the External interface for the web listener to listen on.  If your External interface has multiple IP addresses you can configure the web listener to listen on all, some, or just one of those IP addresses.  Click Next to continue.

Click on the Select Certificates button.

A list of valid certificates will appear, which should include the one you imported to the server earlier.  Choose that certificate and click the Select button, then click Next to continue.

Leave the authentication set to HTML Form Authentication and Windows (Active Directory).  Note this assumes your ISA server is joined to the domain, otherwise you can configure LDAP authentication.  Click Next to continue.

Single Sign-On is useful but optional.  Click Next to continue.

Click Finish to complete the new web listener wizard.  If there are no warnings or errors displayed click Next to continue.

Leave the authentication delegation set to Basic Authentication and click Next to continue.

Leave the users set to All Authenticated Users and click Next to continue.

Before you click Finish to create the new rule first click on the Test Rule button to validate the settings you chose.

If the tests are all successful click on Close and then Finish to create the rule.

Before applying the changes to the Firewall Policy double-click the new rule to open its properties.  Select the Paths tab and then click Add.

Add the Exchange Control Panel virtual directory path of /ecp/* and then click OK and OK again.

Now click Apply to commit the changes to the Firewall Policy.

Testing the ISA Server 2006 Publishing Rule for Outlook Web App

Now that the rule has been configured we can test it from outside of the firewall using a web browser.  When the remote user first connects to the Outlook Web App URL they will see the Exchange 2007 style log on form that ISA 2006 renders.

However after logging in the Exchange Server 2010 Outlook Web App interface will be available to the remote user.

Related posts:

• OWA Error: The Mailbox You’re Trying to Access Isn’t Currently Available
• Exchange Server 2010 Error: Outlook Web App Didn’t Initialize
• Exchange 2010 Edge Transport Server: Configuring EdgeSync
• Publishing Exchange 2010 POP3 with ISA Server 2006
• Exchange 2010 OWA Legacy URL Redirection HTTP 500 Error

This article How to Publish Outlook Web App with ISA Server 2006 is © 2011 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

Creating the Mail Submission Protocol Definition

The first step is to create a new protocol definition in ISA Server 2006 for the port on which clients will send mail.  As we saw in the previous articles on configuring Windows Live Mail for Exchange 2010 POP3 and publishing POP3 client settings to users the Receive Connector on the Exchange 2010 Client Access server uses TCP port 587.  There is no default protocol definition in ISA Server 2006 for this port.

In the ISA management console go to the Toolbox in the right-hand pane and in the Protocols section click New -> Protocol.

Give the new protocol a meaningful name.

Click the New button to configure the port for the new protocol.

Configure the protocol for TCP, Inbound, on port 587.

Don’t configure any secondary connections.

Click Finish to complete the new protocol definition.

Creating the ISA 2006 Access Rule for Exchange 2010 POP3 Clients

The next step is to create the access rule itself.  There is a mail server publishing wizard that you can use to set up access rules for POP3, IMAP and SMTP but because it doesn’t include the option to set up the correct client mail submission port we’re using in this scenario, which means a little modification is needed at the end.

Start the Mail Server Publishing Rule wizard.

Give the rule a meaningful name.  This name will then be appended automatically by ISA server depending on the protocols you choose in the next steps.

Set the Access Type to Client Access: RPC, IMAP, POP3, SMTP.

Tick the boxes for secure POP3 and standard SMTP (we’ll be changing the SMTP one shortly).

Enter the IP address of the Client Access/Hub Transport server.  Note if these are different servers in your network you would just need to run the wizard twice to create one rule for POP3 to the Client Access server IP, and the other for SMTP to the Hub Transport server IP.

Set the listening network to External.

Click Finish to complete the wizard.

The two newly created rules will be visible in the Firewall Policy.  Double-click the SMTP rule to open it.

On the Traffic tab change the protocol from SMTP to the Client Mail Submission protocol we created earlier.

Click OK to apply the change to the rule.

The final step is to click Apply to commit the changes to the Firewall Policy.

You can now test the firewall rule with an email client outside of the network.

Related posts:

• Exchange Server 2010 POP3: Securing POP3 Client Remote Access
• Exchange Server 2010 POP3: Getting Started
• How to Configure Windows Live Mail for Exchange 2010 POP3
• Exchange 2010 Edge Transport Server: Configuring EdgeSync
• How to Publish Outlook Web App with ISA Server 2006

This article Publishing Exchange 2010 POP3 with ISA Server 2006 is © 2011 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

Despite the attention paid toward protecting computers from viruses and spam there is often little attention given to the threat presented by common, everyday web browsing.  When internet access is made available to staff with no restrictions in place it opens up the business to several risks such as:

•    Viruses and other malware downloaded from websites
•    Inappropriate content such as pornography accessed by staff
•    “Cyberslacking”, or wasting time on non-work related websites and instant messaging

GFI WebMonitor for ISA Server solves these problems for business by providing comprehensive security features that can scan file downloads for malware, limit or block access to undesirable websites, and prevent instant messaging communication.  By installing GFI WebMonitor on your Microsoft ISA Server firewall or web proxy you can prevent viruses from getting inside of your network and improve staff productivity.

Read the full tutorial here.

Related posts:

• Exchange Server Archiving: Review of GFI MailArchiver
• Exchange 2010 Edge Transport Server: Configuring EdgeSync
• How to Publish Outlook Web App with ISA Server 2006
• Publishing Exchange 2010 POP3 with ISA Server 2006
• Review of GFI Backup Business Edition

This article GFI Web Monitor Tutorial is © 2009 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

I was drawn to a particular quote in his article about the relative security of ISA Server to other popular firewalls in the context of the number of reported security vulnerabilities for each product.

A quick look at www.secunia.com shows that the ISA Firewall (2004 and 2006) have no active security issues. Compare this with any “hardware” firewall and you will see that the ISA Firewall is more secure than just about any hardware firewall.

There are a lot of firewall appliances out there so I didn’t do an exhaustive search of their stats on Secunia, but I did take a look at the stats for ISA Server, Cisco Pix, and OpenBSD as those are the three firewalls I am most familiar with in my professional life.

ISA Server

Cisco Pix

OpenBSD

I found those numbers to be pretty interesting. It is not unusual to have a customer request that a two-tiered firewall infrastructure be implemented on their environment. Often this means they request that some type of “appliance”, be that a Cisco Pix or some other third party box painted red and given a secure sounding name, be placed between the internet and the ISA Server that we are implementing for them. Sometimes this is based on the principle of defense in depth, whereas other times it is based on a false belief that a product from Microsoft couldn’t possibly be secure. Maybe if they saw the stats above they would think otherwise.

Related posts:

• Well-designed security systems fail gracefully, SonicWALL does not
• Publishing Exchange 2010 POP3 with ISA Server 2006
• Microsoft Exam 70-350: Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004
• Security hole found in OpenBSD
• Exchange 2010 FAQ: Are Wildcard SSL Certificates Supported?

This article Tom Shinder on “hardware” firewalls is © 2007 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com