Configure Gateway to Exchange Server communication

To apply your security policy to mail from an Exchange Server you need to allow and configure Exchange Gateway to Exchange Server communication. You need to do this for every Exchange Server you want to apply policy to.

This topic describes how you configure your Exchange Gateway by adding Exchange Servers and applying Client IDs to your Exchange Server. It also provides information about SXG Interceptor cmdlets and how you use them with Powershell on your Exchange Server.

Information on configuring your Exchange Server, including installing and configuring an SXG Interceptor, can be found in the Clearswift Secure Exchange Gateway Installation & Setup Guide.

Tell me about...

The SXG Interceptor cmdlets

A set of Powershell cmdlets are included as part of your SXG Interceptor installation. You use the cmdlets to configure and manage the SXG Interceptor on your Exchange Server.
Any extra tasks I should consider after I have a basic configuration
Configure Interception rules

The initial SXG Interceptor installation provides a default set of email interception rules. You might want to apply your own rules for your organizations particular requirements. For example, you can:
- Filter mail by email address
- Filter by trusted hosts
- Filter by message class
Assign a Gateway to a different site or multiple sites

The SXG Interceptor uses Gateways that are part of the same Active Directory site. By default, the site that a Gateway is available to is determined by matching the IP address of the Gateway against the subnets that are allocated to sites. This is known as Automatic site selection.

You might want to share Gateways between sites or manually set the site a Gateway should use. To do this you use Manual site selection.

Check mail is intercepted as expected while allowing delivery to the Gateway

In a typical SXG Interceptor/Exchange Gateway configuration, non-conforming messages are removed from the transport after being intercepted. There are some scenarios where it might be useful for non-conforming messages to be delivered to the Gateway while a copy remains on the transport. For example:
- Evaluation on a production system. You might not want to risk intercepting messages until you are certain that your policy is performing in the expected way.
- You might want to detect and analyze non-conforming messages without preventing delivery.
By configuring interception rules with monitor mode you can support these scenarios and check the flow and interception of email while allowing all mail to reach your Gateway.

Monitor performance

You can use Clearswift SXG Interceptor performance counters with Microsoft Performance Monitor to monitor performance. The counters are installed automatically as part of the SXG Interceptor installation.

How do I...

Add an Exchange Server to my Exchange Gateway?
1. From the Exchange Gateway Home page, select System > Exchange Servers.
  
  The Exchange Servers page is displayed.
2. Click New.
  
  The Add Server dialog is displayed.
3. In the Server box, type the IP address of the computer that is hosting the Exchange Server.
  
  You can also add an optional comment here to be associated with the Exchange Server.
4. Click Add.
5. Apply the new configuration. Show me
  
  In the Changes Made panel, click Apply Configuration.
  
  On the Apply Configuration Now page, provide information about the change of configuration.
  
  Click Apply Now.
Work with Client IDs?
A Client ID is generated automatically by your Gateway when you add an Exchange Server. You then set this Client ID on your Exchange Server to allow communication between a particular SXG Interceptor and the Gateway.

To set the Client ID:
1. On the Exchange Gateway, point to the System tab.
2. Under Exchange Settings, click Exchange Servers.
  
  The Exchange Servers page is displayed.
3. Select the server you want to get the ID for and click View.
  
  The View Server dialog is displayed.
4. Select and copy the Client ID.
5. On the Exchange Server computer, click Start, click All Programs, and then click Clearswift SXG Interceptor.
6. Click Clearswift SXG Interceptor Management Shell.
7. Set the Client ID by typing the following from the command line:
```
Set-SXGInterceptor –Identity <InterceptorIdentity> –ClientID <ClientID>
				
```
  where
  - <InterceptorIdentity> is the FQDN of the server where the SXG Interceptor is installed
  - <ClientID> is the copied Client ID from the Gateway

Configure the SXG Interceptor to use the Exchange Gateway I want to use to apply policy?

You need to add and enable an Exchange Gateway on the Interceptor. You do this from the Clearswift SXG Interceptor Management Shell on your Exchange Server, by using the Add-SXGGateway and Set-SXGGateway cmdlets.

On your Exchange Server where the Interceptor is installed, click Start > All Programs > Clearswift SXG Interceptor > Clearswift SXG Interceptor Management Shell.

To add the Gateway, from the command line type the following:

Add-SXGGateway [[-Identity] <GatewayIdentity>] [<CommonParameters>]]

where:

<GatewayIdentity> is the FQDN of the SXG you want to add

To find the FQDN, from the SXG UI click System > Ethernet Settings.

<CommonParameters> is a list of common parameters, for example, verbose, debug.

To enable the Gateway, from the command line type the following:

Set-SXGGateway [[-Identity] <GatewayIdentity>] -Enabled $true

<GatewayIdentity> is the FQDN of the SXG you want to enable

You can enable all Gateways on your Exchange Server by using the following:

Get-SXGGateway | Set-SXGGateway -Enabled $true

Create and configure Interception rules?

You use cmdlets from the Clearswift SXG Interceptor Management Shell to create and configure interception rules.

You use the Add-SXGInterceptionRules cmdlet to create a named set of rules.

You use the Set-SXGInterceptionRules cmdlet to set the interception rules for a named set.

For full cmdlet syntax see SXG Interceptor cmdlets.

For typical scenarios and examples, see Interception rules in the Configure and Manage SXG Interceptor topic.
Work with Automatic and Manual site assignment?
The site selection mode is determined by whether a Gateway has any assigned sites. To see which mode is assigned to a Gateway, type the following from the Clearswift SXG Interceptor Management Shell:
```
Get-SXGGateway
```
The following output will be displayed with values applicable to your own configuration:
```
Identity                         Enabled          SiteSelectionMode        Sites
--------                         -------          -----------------        -----
Identityxxx.ex2010.xxx.local     True             Automatic                {Default-First-Site-N...
Identisyyyy.ex2010.yyy.local     True             Automatic                {Default-First-Site-N...
						
```
In this example, Automatic site selection is applied to each Gateway. The values for Sites are what the SXG Interceptor has determined each Gateway belongs to.

To enable manual site selection, you need to assign a site to a Gateway. Type the following from the Clearswift SXG Interceptor Management Shell:
```
Set-SXGGateway <GatewayIdentity> -AssignedSites <string[...]>
```
For example, to assign Site-1 to Identityxxx.ex2010.xxx.local type the following:
```
Set-SXGGateway Identityxxx.ex2010.xxx.local -AssignedSites Site-1
```
Running the Set-SXGGateway command will show that the Gateway mode is now Manual with a site of Site-1
```
Identity                         Enabled          SiteSelectionMode        Sites
--------                         -------          -----------------        -----
Identityxxx.ex2010.xxx.local     True             Manual                   {Site-1}
Identityyyy.ex2010.yyy.local     True             Automatic                {Default-First-Site-N...
						
```
You can assign a Gateway to multiple sites. To do this, using the Gateway and site values from the previous example, type the following from the Clearswift SXG Interceptor Management Shell:
```
Set-SXGGateway Identityxxx.ex2010.xxx.local -AssignedSites Site-1, Site-2
```
If you want to change a Gateway's site mode from Manual to Automatic, you need to set the AssignedSites parameter to null. Type the following from the Clearswift SXG Interceptor Management Shell:
```
Set-SXGGateway exmgr-gw-1.ex2010.mkjs.local -AssignedSites $null
```
Configure and work with monitor mode?
You use the Set-SXGInterceptor cmdlet from the Clearswift SXG Interceptor Management Shell with the monitor mode switch.

For example, to enable monitor mode for server HUB1, type the following from the command line:
```
Set-SXGInterceptor -Identity HUB1 -MonitorModeEnabled $true
```
To enable monitor mode for all SXG Interceptors in your organization, type the following from the command line:
```
Get-SXGInterceptor | Set-SXGInterceptor -MonitorModeEnabled $true
```
You can then check that the SXG Interceptor is working as expected by inspecting the Recent Messages list on the Health page, and checking that listed messages are being delivered.

Get more information on Interceptor commands that will help with typical scenarios and general configuration options?
For information on:
- Managing Interceptors
- Managing Messages
- Setting and working with Interceptor rules
- Interceptor performance
See Configure and manage Exchange Gateway Interceptor.

Configure Gateway to Exchange Server communication

Tell me about...

Configure Interception rules

Assign a Gateway to a different site or multiple sites

Check mail is intercepted as expected while allowing delivery to the Gateway

Monitor performance

How do I...

See also...