Email Protection in Forefront TMG 2010 Release Candidate

Hello Community: As you probably know, Forefront TMG introduced the E-mail Protection feature in Beta 3. Since then we’ve made significant improvements based on our plans and your feedback.

I’d like to go over the basics of installing Forefront TMG and the additional components necessary for e-mail protection, and point you to the relevant links where you can extend your knowledge on this great feature.

But first, what is the E-mail Protection feature?

The E-mail Protection feature provides central management for Microsoft Exchange Edge and Forefront Protection for Exchange when located on the same server with Forefront TMG. The feature provides e-mail protection at the edge with array support and allows firewall administrators to manage and deploy SMTP, antispam and anti-malware policies on the edge, so that the organization will be able to protect itself from malicious e-mail messages and spam. The feature also allows administrators to configure Exchange Edge Subscriptions for the entire array using a couple of wizards.

This feature is leveraging two best-of-breed Microsoft products — Microsoft Exchange Edge Transport, and Microsoft Forefront Protection for Exchange — that offer a great SMTP experience while maintaining security throughout for SMTP traffic. To take advantage of this feature, you need to install both of these products on all of the Forefront TMG servers in your array.

What’s new in E-mail Protection since Forefront TMG Beta 3

In release candidate (RC) release, we added the following enhancements:

1. Edge Subscription support – Configuring an Edge Subscription in Exchange Edge through Forefront TMG is simpler than ever:

a. Use the E-mail Policy Wizard to allow Edge traffic on Forefront TMG.

b. Create the subscription files with a click: “Generate Edge Subscription Files”.

c. Import the files to the Exchange Hub server, and that’s it! The subscription is up and running.

2. Flexible installation time – In Beta 3, you needed to install the Edge Transport role and Forefront Protection for Exchange 2010 (the prerequisites) before installing Forefront TMG on the server. Today you can install E-mail Protection prerequisites before or after deploying Forefront TMG.

3. Route authentication configuration – we’ve added authentication configuration support through the Forefront TMG UI. Simply right-click on the relevant SMTP route, select Properties, and set the authentication method.

4. Support for IP block/allow list providers, authentication, automatic tracking for Exchange/FPES licensing expiration, Exchange/FPES services monitoring (in the services pane and alerts are generated in case of a problem) and a few more features.

5. Several adjustments that were made in response to customer feedback.

How do I plan and deploy the feature?

Forefront TMG has comprehensive guides on planning and deploying the E-mail Protection feature:

1. The planning guide can be found here:

2. A guide to the prerequisites you need to install prior to configuring E-mail Protection can be found here:

3. You can learn how to configure E-mail Protection here:

4. To learn more about Edge Subscriptions, please follow this link:

5. Some information on what happens “behind the scenes” can be found in Understanding E-Mail Protection on Forefront TMG

6. How to implement and use Edge Subscriptions properly can be found in Using Mail Protection with Exchange EdgeSync on Forefront TMG

Q & A

1. Which versions of Microsoft Exchange and Forefront Protection for Exchange are supported in Forefront TMG?

In the table below you can find the support matrix:


Windows Server 2008 (SP2)

Windows Server 2008 R2

Microsoft Exchange Edge 2007 SP2



Microsoft Exchange Edge 2010



Forefront Protection for Exchange 2010



Forefront TMG



* Recently a blog post was published by the Exchange team saying that they reconsidered and are planning to support Windows Server 2008 (SP2). To read more about it please follow this link:

2. What licenses do I need to have in order to deploy the E-mail Protection feature?

In addition to the Forefront TMG 2010 license, you will need to purchase two other licenses: one for Microsoft Exchange Edge, and another for Forefront Protection for Exchange 2010. More on licensing can be found here:

· Microsoft Exchange 2010 licensing information can be found here:

· Forefront Protection for Exchange 2010 licensing information can be found here:


Gabriel Koren

Forefront Threat Management Gateway Test Team

Comments (2)

  1. Volker says:

    Which Exchange CALs would I need? (Enterprise or Standard)

Skip to main content