Microsoft Forefront Threat Management Gateway Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In this chapter, the author will do research on the literature review on Microsoft Exchange Server 2007, Microsoft Forefront Threat Management Gateway, and Microsoft Forefront Security for Exchange Server. Few of this software were used for the SME environment usually. In this chapter the author will discuss about the overview, pros and cons for the software had listed.

1.2. Overview of Microsoft Exchange Server 2007

Microsoft Exchange Server is developing by Microsoft to use for messaging and collaborative software. Exchange Server's feature major consist of electronic mail, contacts, calendaring, support for mobile and web-based access to information and also support for data storage.

Microsoft Exchange Server 2007 was released on Nov, 30, 2006. Microsoft Exchange Server 2007 now has released 2 service packs that are Exchange Server 2007 Sp1 and Exchange Server 2007 Sp2. Microsoft Exchange Server 2007 has introduced a lot of new features and technologies that will not available in the previous version of Exchange Server. These new features not only increase the productivity, reliability, manageability, and security for a businesses, it also reduce the administrative overhead.

Exchange Server 2007 can be running on few operating systems. For this project, the author has chosen Microsoft Windows Server 2008 to become the main OS platform. By using Windows Server 2008, it provides few benefits and advantage to the Exchange Server. Such as support for multi-subnet failover cluster, near-zero downtime when fixing NTFS corruption, faster log file shipping, reduce downtime for hardware maintenance, greater scalability for Client Access servers that provide Outlook Anywhere services. Besides that, using Windows Server 2008 can make an easier deployment for Exchange Server. Exchange Server do not needed to download those prerequisites software instead of quickly install from the new Server Manager MMC console which provide by Windows Server 2008. Therefore, a new feature providing by the Windows Server 2008 that is IPv6 can be use for exchange server for later generation deployment. (Exchange Server and Windows Server 2008, Part II, 2008)

Exchange Server 2007 can allow the administrator to manage the recipient objects, e-mail addresses and address lists, and it also can create public folder for the organization to share their information. Not only that, the Client Access server role providing by Exchange Server 2007 can be manage the client access in the organization. A new system for transporting message had been created in Exchange Server 2007 that calling hub transport. Besides that, a new role supported by Exchange Server 2007 that is Unified Messaging allow user to use voice, fax and e-mail message through their mobile devices. The details for the statement above will be discussed on the later chapter.

1.2.1 New in Microsoft Exchange Server 2007 SP1 and Microsoft Exchange Server 2007 SP2

Exchange Server had released few versions for this product. There are some different improvements between few of them. The author had decided to do some comparison between Exchange Server 2007 SP1 and Exchange Server 2007 SP2. The author will write down all of the new things and features provided by these 2 service pack Exchange Server. New in Microsoft Exchange Server 2007 SP1

The Exchange Server 2007 SP1 has a lot of new features and improvements involve such as new deployment options. Exchange Server 2007 now can be either install in Windows Server 2003 or Windows Server 2008. With the new functionality provided by Windows Server 2008, Exchange Server can be use the IP address range in IPv4 or IPv6. With the lack of IP addresses (IPv4) problem has coming, this IPv6 can help to solve this problem.

The second new thing is improvement of the client access server role. With the client access server role, it can help to improve the setup and configuration of proxying and redirection for few of this software such as Exchange ActiveSync, Outlook Web Access, and POP3/IMAP4. Another new thing in Exchange Server 2007 SP1 is improvements in Transport. With 2 of the new server roles provided by exchange server 2007 that is Hub Transport server roles and Edge Transport server role, an organization can easy to manage and secure their organization mail system without any worry.

Besides that, the mailbox server role improvement also is one of the new things for exchange server 2007. In mailbox server role it provided new public folder features for easy to manage the public folder. Another new feature for exchange server 2007 is high availability. It not only can support for Windows Server 2008 and many improvements had done such as reporting and monitoring, performance, transport dumpster, and exchange management console improvements. Unified messaging server role is another important feature for exchange server 2007. The exchange server 2007 sp1 had improved some new features in this role. The unified messaging now can available to setup with or without Communication server 2007. (What's New in Exchange Server 2007 SP1, 2007) New in Exchange Server 2007 SP2

The Exchange Server 2007 SP2 was came out after 2 years released of SP 1. This version not only remains the features which provided in Exchange Server 2007 SP 1. And Microsoft had done quite a lot of new features and improvements for this version compare to previous version. The first important feature for this version is it can deploy Exchange Server 2010. Exchange Client Access Server 2007 can be deploying in the Exchange Server 2010 box. Its only requires to upgrade the entire server role become Exchange Server 2007 SP2 to do the transitioning.

Besides that, Exchange Server 2007 SP2 provided a VSS plug-in for Windows Server Backup for backup Exchange purpose. This feature make enhancement on the Exchange backup functionality. Another feature provided by Exchange Server 2007 SP2 is enhanced auditing. SP2 had provided new Exchange auditing events and audit log repository. With the new auditing features in the SP2, administrator can easily to audit the activities that occur on the Exchange Server.

Another new feature can found in Exchange Server 2007 SP2 that is dynamic active directory schema validation. This feature will enable easier management of future schema updates because it will allow the schema updates to be dynamic deployed. It also prevents support issues when adding properties that don't exist in the AD schema. Public folder quota management is a new improvement provided by Exchange Server 2007 SP2. With the new public folder management, Administrator enables to manage the public folder quota for the user easier by using the current cmdlets.

Another two minor improvements and features provided by Exchange Server 2007 SP2 are centralized organizational settings and improved setup program. Several new cmdlet parameters had been added, so it can allow administrator to centralize the exchange organization settings. Few installers must be installing in Exchange Server 2007 SP2 for update rollup. (What's New in Exchange Server 2007 SP2, 2009)

1.3 Overview of Exchange Server 2007 Server Roles

In Exchange Server 2007, the functionality that Exchange servers provide has been separate into five server roles. These server roles are Hub Transport Server role, Mailbox Server Role, Edge Transport Server Role, Client Access Server role, and Unified Messaging Server role. These server roles either can install separately or all of them except for edge transport role on a server. The author will do some overview about all of the server roles provided by Exchange Server 2007.

1.3.1 Hub Transport server role

The Hub Transport server role is responsible for message routing. The Hub Transport server performs message categorization and routing, and handles all messages that pass through an organization. Hub Transport server must configure at least one in each Active Directory site that contains a Mailbox server or a Unified Messaging server, and the server running the Hub Transport server role must be a member of an Active Directory domain. (Hub Transport Server Role, 2006)

1.3.2 Mailbox server role

The Mailbox server role is responsible for managing mailbox and public folder databases. Mailboxes and public folders reside on the Mailbox servers. Mailbox servers contain storage groups and stores, and support clusters for reliability and high availability. Mailbox server role also providing the calendaring functionality, resource management, and offline address book downloads. Because Mailbox servers require Active Directory access, the Mailbox server role must be assign to a member server in an Active Directory domain. (Mailbox Server Role, 2007)

1.3.3 Edge Transport server role

The edge transport server role is designed to be the Simple Mail Transport Protocol (SMTP) gateway server between the organization and the internet. To having a better security for the organization mail system, the computer that runs the Edge Transport server role should be implement in a perimeter network and should not be a member of your internal Active Directory forest. An Edge Transport server provides few services such as filters on connection, recipient, sender, and content, the Sender-identity and sender-reputation analysis, and attachment filters. Edge transports server also can add some third-party software such as Microsoft Forefront Security for Exchange Server for Antivirus control purpose. Because the Edge Transport server is not part of an Active Directory domain, it uses AD LDS on Windows Server 2008 computers to access recipient information.

Implement multiple of Edge Transport servers can provide load balancing and high availability. Besides that, Edge Transport server and Hub transport server cannot be installed on the same computer. The Hub Transport and Edge Transport servers both provide message routing and delivery capabilities to and from the internet. However, some advanced transport features are only available on Edge Transport servers. (Edge Transport Server Role, 2007]

1.3.4 Client access server role

The Client Access server role enables connections from a variety of client protocols to the Exchange Server mailboxes. The Client Access server must be assigning at least one in each Active Directory site that contains a Mailbox server. Client protocols that connect through a Client Access server such as OWA client, POP and IMAP clients, Outlook Anywhere, and Exchange ActiveSync clients. The client access server support services such as Autodiscover service and Web services. (Client Access Server Role, 2007)

1.3.5 Unified Messaging server role

The Unified Messaging server role provides the services that integrate voice and fax messages into an organization's infrastructure. This role is new to the Exchange product line. The new telephony concepts do not familiar to an Exchange administrator. This role requires the presence of three server roles that are Hub Transport, Client Access, and Mailbox. The Unified Messaging server provides access to voice message and faxes. It can be access from the client's telephone or computer. (Unified Messaging Server Role, 2006]

1.4 What is Electronic Mail (E-Mail)

E-mails are similar as a letter, only which it is to give and receive the information in a different way. Computer use the TCP/IP protocol to suite to send the email messages in the form of packets. The first thing we need to send and receive email is an email address. The contents of the email can be anything or formats that can be store in the computer. (What is Email, 2002)

1.4.1 An Email Address

An email address typically has two main parts, which is the user name following by the domain name. User name is refers to the recipient's mailbox whereby the domain name refers it the main server address, which usually have an individual IP address. For example, like [email protected] (What is Email, 2002)

1.5 Pros and Cons about using Exchange Server 2007

In this topic the author will discuss about the advantages and disadvantages using Exchange Server 2007.

1.5.1 Pros about using Exchange Server 2007

With providing the new features by Exchange Server 2007, a company or business can get a lot of benefits on it. The benefits will come out together with the features that exchange Server 2007 has provided. The features are such as built-in protection, anywhere access and efficient operations. Built-in protection

The built-in protection with features like Edge Transport, hosted filtering integration, and anti-spam filtering can help to reduce the viruses and spam. It also enables private communications. Besides that, using some of the features such as transport rules, messaging records management, and enhanced auditing, it can helping in archive compliance. The key benefits in this built-in protection are ensure users and data can prevent harmful spam and viruses, easier compliance while satisfying the needs of compliance staff in organization such as managers, messaging administrators, and employees, provides a secure communication automatically for the organization without added complexity or cost, and make email communication with more reliability and availability. (The Benefits of Exchange Server 2007, 2008) Anywhere Access

Exchange Server 2007 has offers some new features such as Unified messaging, Mobile Messaging, web-based messaging and calendaring. It can help the employee in the company to anywhere access their email, calendaring, voice mail, and contacts from different type of devices and clients. The key benefits for this few features are quickly delivers a familiar and flowing Outlook experience from different devices without any others software, improved collaboration making it easier to share and find documents, data, and schedules for the staff and user to increases overall productivity among who require the ability to respond from outside working area, and provides employees to get the source with a single inbox, the source including voice mail, email, and fax. (The Benefits of Exchange Server 2007, 2008) Efficient Operations

Exchange Server 2007 helps the administrator to deploy and manage the server more efficiently. The new features provided by Exchange Server 2007 can help for operational efficiency such as Administration and automation, deployment, scalability and performance, and extensibility and programmability. The key benefits for these features are giving advantages for administrator to improved productivity, making it easier to repair problems and automate tasks, it can delivers more efficient connection and transformation from your hardware and network investments by using powerful x64 computing and bandwidth optimization, and efficient operation with the improvement of monitoring and diagnostics, roles-based server architecture, automatic client connections. (The Benefits of Exchange Server 2007, 2008)

1.5.2 Cons of Exchange Server 2007

Exchange server 2007 had provided a lot of good benefits and advantages to the community. But with the more advance feature there made, the more high hardware requirement and technique required. The first con for implementing exchange server 2007 to the organization is the high cost and complexity configuration. To setup an Exchange Server 2007 it require x64 computer to make it run properly. Not only that, because of the new features of the Exchange Server 2007 had provided 5 roles server to the organization, it might needed a organization to setup more server for each role. It takes a lot of costs to setup a mail system for an organization. Other than that, the third party plug-ins software which runs in x32 might not be run perfectly in the Exchange Server 2007 x64 computers. And then there were no in-place upgrade for Exchange Server 2007 from Exchange server 2003. Because Exchange Server 2003 is running on the x32 computer and Exchange Server 2007 was running on x64 computer. (Exchange 2997 will shake up messaging, 2006)

1.6 Overview of Microsoft Forefront Threat Management Gateway

Microsoft Forefront Threat Management Gateway (TMG) is a secure web gateway and firewall system designed to ensure that all unwanted traffic from the Internet kept out of an organization's network. At the same time, Forefront TMG can also be used to provide internal users with selective access to Internet resources and Internet users with selective access to internal resources, such as Web or e-mail servers. Forefront TMG is built on the foundation of ISA Server 2006. Forefront TMG is similar with the ISA Server 2006. Forefront TMG included all the features that ISA Server 2006 provided. Forefront TMG is usually deployed at the perimeter of an organization's network, which is where its internet network connects to an external network like the Internet.

Forefront TMG can be used to enforce security policies dealing with the types if access users should have to the internet. Many organization allow remote users to access to internal servers, Forefront TMG can be used to ensure that access to the internal server resources is secure. Forefront TMG also provided a new policy which used for email protection through integration with the Microsoft Exchange Server and Microsoft Forefront Protection for Exchange Server. ( Forefront Threat Management: Overview, 2009)

1.6.1 How Forefront TMG Works as a Firewall

A firewall is a device that is located between one segment of a network and another, and allows only authorized traffic to pass between the segments. The firewall is configured with traffic filtering rules that define the types of network traffic that will be allowed to pass through. A firewall can be configured to protect an organization from the internet, or it may be positioned internally to protect specific sections of an organization's corporate network.

In most cases, firewalls are deployed at the network perimeter. The primary purpose of a firewall in this configuration is to ensure that no traffic from a publicly accessible network like the Internet can enter an organization's internet network unless is has been explicitly permitted. Packet Filtering

Packet filtering works by examining the header information for each network packet that arrives at the firewall. When the packet arrives at the Forefront TMG network interface, Forefront TMG opens the packet header and checks information such as the source and destination addresses and the source and destination ports. Forefront TMG compares this information against its firewall rules that define which packets are allowed. If the source and destination addresses are allowed, and if the source and destination ports are allowed, the packet passes through the firewall to the destination network. If the addresses and the ports are not explicitly allowed, the packet is dropped and not forwarded through the firewall. Stateful Filtering

Stateful filtering uses a more thorough examination of the network packet to make decision on whether to forward it or not. In stateful filtering, Forefront TMG examines the Internet Protocol (IP) and the Transmission Control Protocol (TCP) headers to determine the state of a packet within the context of previous packets that have passed through Forefront TMG, or within the context of a TCP session. Application-Layer Filtering

Forefront TMG also uses application-layer filtering to determine whether a packet is allowed or not. Application-layer filtering examines the actual content of a packet to determine if the packet can be forwarded through the firewall. An application filter opens the entire packet and examines the actual data request a page from the internet Web server using the Hypertext Transfer Protocol (HTTP) GET commands. When the packets arrive at the firewall, the applications filters inspect the packet and detect the GET command. The application filter checks its policy to determine if the GET command is allowed. Spam Filtering

Forefront TMG provides an email policy to reducing spam. It can configure with setting the rules in the spam filtering tab which located in Forefront TMG. In the spam filtering tab, includes such as IP allow list, IP block list, recipient filtering, sender filtering, and sender ID. By proper configuration of several anti-spam features, it can filter inbound messages in a specific order. (Configuring Spam Filtering, 2010) Virus filtering

Forefront TMG provide another email policy that is virus filtering. It used to remove viruses and threats before it enter an organization's infrastructure. Forefront TMG can enable the antivirus policy in the virus and content filtering tab. it let administrator to employ multiple scan engines to detect and clean viruses from email attachments. (Configuring virus filtering, 2010) Content filtering

Content filtering is another feature in e-mail policy. In this policy, administrator able to search for specific words in an e-mail message, or attachments with a specific name and type, and then it can decide by administrator whether to allow or block the e-mail and attachment. (Configuring content filtering, 2010)

1.6.2 How Forefront TMG Enables E-Mail Server Publishing

Almost every organization provides access to e-mail servers from the internet. In order to receive e-mail from Internet users, organizations must configure their e-mail server to accept Simple Mail Transfer Protocol (SMTP) port 25 connections. In most cases, the e-mail server in an organization will places on an internal network, which means that the organization must allow SMTP connections through the firewall. Since Exchange Server 2007 provides several options for users to access their e-mail from internet, this means that securing access to Exchange Server computers usually includes securing both SMTP connections and client connections. To do so, Forefront TMG provides several features to help secure access to Exchange Server computers, which are SMTP server publishing rules and SMTP application and content filters. Forefront TMG includes a SMTP server publishing rule that can be used to publish the internal SMTP server. It also includes a SMTP applications filter that can block specific SMTP commands. SMTP Message Screener can filter out the unwanted e-mail that enters an organization. All organizations are flooded with unwanted e-mail, either in the form of unsolicited commercial e-mail, or e-mails with virus attachments. Message Screener can block e-mail messages based on who sent the message and whether the message specific attachments or keywords. Forefront TMG has pre-configured Web publishing rules that can provide access to the Exchange Server computer for Outlook Web Access (OWA) and Outlook Mobile Access (OMA) clients. The specialized Web publishing rules are preconfigured so that when we create a new mail publishing rule, many of the configuration options are enabled by default. In addition, we can also use the Forefront TMG HTTP filter to apply application-layer filtering to Web client connections, to block potentially dangerous attachments or message contents. Forefront TMG can help secures the RPC over HTTP connections.

1.7 Overview of Microsoft Forefront Protection 2010 for Exchange Server

Microsoft Forefront Protection 2010 for exchange server is software that integrates with Exchange server and Microsoft Forefront TMG to help organization for protect their mail environment from viruses, worm, spam, inappropriate content. Forefront protection also resides and can help for Exchange 2007 Edge, Hub and Mailbox server roles. (Forefront Security for Exchange Server: Overview, 2009)

1.7.1 Key benefits

There are three key benefits provided by Forefront Protection 2010 for Exchange Server. Comprehensive Protection

In Forefront Protection 2010 for Exchange Server, it provides the ships with and manages multiple scanning engines. Then it also provides the multi-layer protection in Exchange 2007. Other important features are file filtering and premium anti-spam protection. (Forefront Security for Exchange Server: Overview, 2009) Optimized Performance

Forefront protection 2010 for exchange server gives an optimized performance to an organization. With the deep integration with Exchange Server 2007, it helped the administrator to monitor and manage their mail server easily. Other good features are scanning innovations and performance controls. (Forefront Security for Exchange Server: Overview, 2009) Simplified Management

With the user-friendly configuration and operation management provided by Forefront Protection, it gives an easier management for the administrator. Forefront Protection also provided automated signature updates and centralized reporting, notifications, and alerts for make the management more reliability and flexibility. (Forefront Security for Exchange Server: Overview, 2009)

1.8 Summary

In this chapter, the author had learnt about the roles in Exchange Server 2007. Microsoft Forefront TMG and Microsoft Forefront Protection 2010 for Exchange Server had given huge benefits for the Exchange Server to protect and maintain the mail system in an organization. To make a secure mail server, understanding on these few software is very important before deploying in the network.

2 Chapter 2: Review on the Exchange Server 2007 network infrastructure for the SME

2.1 Introduction

On last chapter, the author had conducted studies about Microsoft Exchange 2007, Forefront Protection 2010 for Exchange Server and Forefront Threat Management Gateway, as well as the problems when deploying those servers into a network. In this chapter, the content is about the planning of deploys the Exchange Server 2007 in Forefront TMG that based on scenarios that commonly used by today's businesses. Planning is one of the most fundamental aspects of deploying a new network application, no matters it is inside a large business organization or small businesses. As a good planning stage is the main point of deploying a network. Besides that, the author would also discuss the network infrastructure that available in the Exchange Server 2007.

2.2 Exchange Server Supportability Matrix

Before start looking on the hardware requirement, the supported platform OS for each version of Exchange Server must be study on it properly.

(Exchange Server Supportability Matrix, 2010)

Table 1

The table 1 show as above is quote from the By looking on this table, the Exchange 2007SP2 cannot be supported by Windows Server 2008 R2. So for this project, the author will not choose Windows Server 2008 R2 to be the OS platform for the Exchange Server. The author had chosen Windows Server 2008 SP2 to become the OS platform because the firewall which is Microsoft Forefront TMG can implement on Windows Server 2008 SP2. Other than that, the Exchange Server 2007 SP2 had been chosen because Microsoft Forefront TMG only support for Exchange Server 2007 SP2 or another Exchange Server latest version.

2.3 Hardware Requirement

2.3.1 Hardware Requirement for Exchange Server 2007

The minimum hardware requirement for setting up an Exchange Server 2007 SP2 will show as below:


Minimum Requirements


Any Intel Xeon or Pentium 4 64-bit processor

Any AMD Opteron or Althalon 64-bit processor

Operating System

Windows Server 2003 or above


1GB of Ram plus 7MB per mailbox

Disk space

1.2 GB of available disk space on the drive on which you install Exchange

200 MB available disk space on the system drive




SVGA or better

File System

NTFS File System

2.3.2 Hardware Requirement for Microsoft Forefront TMG

The minimum hardware requirement for setting up a Forefront TMG show as above:


Minimum Requirements


A computer with 2 core(1x cpu x dual core) 64 bit

Operating System

Windows Server 2008 SP2 or Windows Server 2008 R2



Disk space

2.5 GB




SVGA or better

File System

NTFS File System

Network adapter

One network adapter compatible with the computer's operating system, for communication with the internal network

An additional network adapter for each network connected to the Forefront TMG

2.4 Overview of Active Directory

Active Directory allows administrators to create a more flexible network structure than what was previously available with Windows operating systems for servers. Active Directory is a directory service, which allows large distributed network environments have a common centralized authority for network security. Besides that, it provides a single point of management for Windows-based user accounts, clients, servers and applications. In Microsoft Windows Server 2008, the concept of Active Directory has been expanded to include additional server roles such as Active Directory Lightweight Directory Services (AD LDS), Active Directory Certificate Services (AD CS), Active directory Right Management Services (AD RMS), and Active Directory Federation Services (AD FS). To create an Active Directory forest in Windows Server 2008, it can install and configure in the Active Directory Domain Services (AD DS) server role. Active directory is a critical component of an Exchange Server 2007 infrastructure. So this is important to understand the relationship between Exchange Server 2007 and Active Directory. (Windows Server 2008 R2: Active Directory, 2009)

2.4.1 Integration of Active Directory and Exchange Server 2007

Exchange Server 2007 relies on Active Directory. To ensure that the Active Directory implementation is properly designed to support Exchange Server 2007, the understanding on how Exchange Server 2007 and Exchange Server clients use Active Directory is important. Forests

Forest is the primary security boundary for Active Directory, which contains domain trees. Inside a forest, there can be one or more domain trees. There are two types of forest topologies, the single or multiple forests. In single forest, all user and group accounts all located in the same forest. Multiple forest mean two or more forest to store the user and group accounts in the different forest. However the single forest is recommended because it provides a better e-mail system feature, it does not need to configure the GAL synchronization, and it's also provide a streamlined administrative model. (Active Directory Forest Topologies, 2007) Active Directory Sites

Computers and services must have a way of identifying Active Directory resources that are located on the same LAN versus resources that are on a different LAN separated by a WAN connection. Active Directory uses the concept of sites to make this distinction. A site is a combination of the physical devices and logical services. Site membership is used in the logon process as a computer attempts to locate a domain controller in its own site first. It is used in replication, accessing global catalogs and in the Exchange Server 2007 messaging infrastructure. (Why you need Active Directory for Exchange Server 2007, 2009) Active Directory Schema

Common schema is one of the defining elements in a forest. Schema is types of objects that are allowed within a directory. The attributes that is associated with those objects. In order for the access rights and security policies function correctly, these definition must be consistent across domains.

There are two types of definitions within the schema, which are attributes and classes. Attributes are defined only once, and then can be applied to multiple classes if needed. The object classes, or metadata, are used to define object. For example, the Users class requires certain attributes such as a user name, password, and groups. A particular user account is simply an Active Directory object that has those attributes defined. (Active Directory Schema, 2009) Global Catalog

Global catalog primarily used in the logon capability and queries within Active Directory. Within a multiple domain environment that is running Windows Server 2008 functional level, a global catalog is required for logging on to the network. The global catalog provides group membership information for the user account that is attempting to logon on the network. If the global catalog is not available during the logon attempt, the user will only be allowed to logon on the local machine.

The domain controller for the local domain will handle the authentication request if the account is part of the local domain. The global catalog is required only when a user account or object needs to be authenticated by another domain.

Queries for objects occur and querying generates the majority of Active Directory traffic much more often than database updates. Within a simple single-domain environment, the directory is readily available for these queries. However, in a highly complex, multidomain environment, having every query search through each domain would generate an unreasonable amount of network traffic. In order to solve this, the global catalog maintains a subset of the directory information available within every domain in the forest. And this allows queries to be handled by the nearest global catalog, saving time and bandwidth. If more than one domain controller is a global catalog server, the response time for the queries improves. However, the disadvantage is that each additional global catalog server increases the amount of replication overhead within the network. (What Is the Global Catalog?, 2009) Global Catalog Servers

Active Directory automatically creates a global catalog on the first domain controller within a forest. Each forest requires at least one global catalog. In an environment with multiple sites, it is good practice to designate a domain controller in each site to function as a global catalog server. While any domain controller can be configured as a global catalog server, it is necessary to balance those servers. (Global catalog server best practices for Exchange Server, 2010)

2.4.2 Active Directory Preparation for Exchange Server 2007

A table for active directory preparing and the explanation will show as below:




Required if the organization contains Exchange Server 2003 or Exchange Server 2000.

Modifies the permission assigned to the Enterprise Exchange Servers group to allow the Recipient Update Service to run.

Must be run by a member of the Enterprise Admins group.


Prepares the schema if the Exchange Server 2007 installation.

Must be run by a member of the Enterprise Admins and Schema group.


Prepares the global Exchange objects in Active Directory, creates the Exchange universal security groups in the root domain, and prepares the current domain.

Must be run by a member of the Enterprise Admins group.


/PrepareDomain <domainname>


Prepares the domain for Exchange Server 2007 by creating a new global in the Microsoft Exchange System Objects container called Exchange Install Domain Servers.

Not required in the domain where /PrepareAD was run.

Can prepare specific domains by adding the fully qualified domain name, or prepare all domains in the forest.

Must be run by a member of the Enterprise Admins and the Domain Admins group.

(How to Prepare Active Directory and Domains, 2008)

2.5 Exchange Server 2007 and Windows Server 2008 Protocols and Services Integration

Besides working with Active Directory, Exchange Server 2007 is designed to integrate with services provided by the Windows Server Operating Systems. To take advantage of the new functionalities in Exchange Server 2007, it can be installed on the Windows Server 2008.

2.5.1 Exchange Server 2007 and IIS 6.0

IIS is included with Windows Operation System for servers and provides some core services for Exchange Server 2007. World Wide Web service required the integration of Exchange Server 2003 with IIS services. Before installing a client access server role, it requires to install the IIS for access web service. (Exchange 2007 System Requirements, 2009)

2.5.2 The World Wide Web Service

Outlook Web Access (OWA) integrates into IIS and doesn't have to be installed on the same server as Exchange Server 2007. Because of the integration, services can be installed almost anywhere within an Active Directory, Which providing flexibility and a very scalable messaging solution. OWA provides client access to an Exchange mailbox through a Web browser. The HTTP protocol, which is part of the World Wide Web Service, is the transport used for OWA functionality.

Users running Microsoft Internet Explorer 6 or later can take advantage of a number of new enhancements to OWA. Which are included the spell checker, support for mail rules, support for digital signatures, marking messages as read/unread and public folder support.

An exclusive feature to Exchange Server 2007 running on the Windows Server 2008 is the ability to use Outlook Anywhere clients to connect to Exchange Server 2007 servers using the HTTP protocol. This is known as "RPC over HTTP". (Exchange 2007 System Requirements, 2009)

2.6 Domain Name System

A DNS must be configuring to be enable domain controller and global catalog server name resolution. DNS must be configured correctly in Active Directory forest. (Understanding DNS Requirements for Exchange server 2007, 2007)

2.7 Install Windows Services required by Exchange Server 2007

Before installing Exchange Server 2007, there are certain Windows Server 2008 components and services that must be enabled to integration Exchange has with Active Directory and the Windows operating system. In order to setup to complete successfully, we must have the following services installed and enabled on our server. These services are Microsoft .Net Framework 3.0, MMC v 3.0 (installed by default in Windows Server 2008), Powershell, World Wide Web Service, ASP.NET version 2.0, IIS 6.0 and Microsoft Windows Installer 4.5. (Exchange 2007 System Requirements, 2009)

2.8 Study on the existing network infrastructure for SME

In this topic, the author will do some research about existing network for exchange server 2007 on the internet source. Some briefly explanation on the diagram will given that show as below:

Diagram 1

The author has found the diagram via internet site which is publishing by This diagram is a network diagram for a simple organization with multiple servers. In the site, it had stated that all of servers are consists with 64 bit of Exchange 2007. A computer has been configured as an Active Directory server with Exchange Server (includes Hub Transport, Mailbox, client access, and Unified Messaging), and another computer configured as an Active Directory without Exchange Server (Global catalog). Third computer configured as the Edge Transport Server. In this network infrastructure, it designs for mid-sized businesses that only have between 25 until 250 computers. This infrastructure in Microsoft also knows as Centro. In this diagram 1, the Edge Transport server is implementing in a perimeter network. The Edge Transport server is use to handle the incoming connection for better security. (Planning for a Simple Exchange Organization, 2008)

2.9 Summary

In this chapter, the author had learnt about the hardware requirement, services and software prerequisites for exchange server 2007, and the network infrastructure of Exchange Server 2007. Those topics are important for this project because it giving the understanding on how the Exchange Server 2007 work.

3.0 Designing the appropriate network diagram

3.1 Introduction

On last few chapters, the author has discussed about the overview of Exchange Sever 2007, Forefront TMG, Forefront Protection for Exchange Server, and the network infrastructure for Exchange Server 2007. In this chapter, the author will talk about the architecture of Exchange Server 2007 and draw a diagram for later development process.

3.2 Architecture of Exchange Server 2007

In the first chapter, the author has done the research about the new roles on the Exchange Server 2007. Those roles are considered as the new architecture for exchange Server 2007.

Figure 1

In the figure 1, it showed all of the five new roles. For each server role there are taking the important role to make the new Exchange 2007 architecture to be better management and more security. In the previous version of Exchange Server that is Exchange Server 2003, it only has 2 "officially" roles that are front-end and back-end server roles. The front-end role is same as the client access role for publishing and to provide the client access protocol to the user. The back-end server role is similar with the Mailbox role. They used it to manage the mailbox and public folder. By adding the new roles in Exchange Server 2007, it becomes more reliability and easy management to an organization. The security had improved by adding a new role that calls edge transport which can integrate with the Forefront TMG and Forefront Protection for Exchange Server. In this figure, it shows how the new exchange server running by using those new roles. Fours role that include Hub transport, Unified Messaging, Client Access, and Mailbox were located inside the firewall. The Edge Transport was located in the perimeter network and resides in the firewall. The new architecture is much better than the previous version of exchange because of the new server roles had implemented.

3.2 Draw an appropriate diagram

After study all the network infrastructure and architectures for exchange server 2007, the author had conducted a final network diagram for implementing in the project. The network diagram will show as below:

Diagram 2

As the diagram show as above, in this network it will contains 4 servers' computers which are Domain controller, Exchange Mailbox server, Exchange Hub Transport and Client Access Server in a server computer, and a Forefront TMG firewall with Edge transport Server in a server computer. In this network, all of the networks were places on the internal network. All the servers and client will connect to a domain named "DNSPROJECT.COM".

The domain controller server will name as EXDC1 in the domain. The IP address would set as This server will set as Active Directory server with others services installed such as DNS, DHCP service.

The Exchange Server Mailbox will name as EXMAIL in the domain. The IP address will set as

The Exchange Hub Transport and Client Access Server will name as EXOUT in the domain. The IP address will set as

The Forefront TMG will name as TMG in the domain. A Forefront TMG 2010, Edge Transport Server, and Forefront Protection 2010 for Exchange Server will install on this server. Two NICs will use in this system. The IP address for internal network will be and the external IP will be All of this network will connect through a switch and all of these server computers will install as Windows Server 2008 SP2. For the Exchange Server version will be use Exchange Server 2007 SP2.

A computer will be set as internal client name as client1. This computer is uses for testing the outlook purpose.

This is a simple network infrastructure for testing how Forefront TMG can provide a security protection to the Exchange server. In this network, the author will not setup the one of the new role provided by Exchange Server 2007 that is Unified Messaging Server. It is because the author has lack of time, lack of devices and knowledge on it.

3.3 Summary

In this chapter, the author had discussed about the Exchange Server 2007 architecture. For this version of Exchange it does not have only 2 roles that are front-end and back-end server anymore. With the improvement of new roles, the management on Exchange Server will become easier and flexible.