What is the point of the heavy forwarder outlined in step 4 of the docs?
Is that heavy forwarder doing anything that can't be done at the indexer?
This step is for the TA-SMTP-reputation component (as per step 6) since a full Splunk install has the required Python components to check SMTP server reputation. Keep in mind that this heavy forwarder install will take up resources separate from your indexing tier. Installing the TA-SMTP-Reputation component on your indexing tier is not supported. Another option is to install a heavy forwarder on one of your Exchange servers to handle this requirement, but again, not recommended due to resource requirements.
Thanks,
Jeff.