Chapter 7 Solutions in this chapter: ■ Deploying the Edge Transport Server Role ■ Enabling Name Resolution Lookups between the Edge Transport and Hub Transport Servers Suffi x ■ Install
Trang 1Chapter 7
Solutions in this chapter:
■ Deploying the Edge Transport Server Role
■ Enabling Name Resolution Lookups between the Edge Transport and Hub Transport
Servers Suffi x
■ Installing the ADAM Component
■ Verifying That the EdgeSync Service Works
as Expected
■ Manually Confi guring the Required Connectors
■ Pointing Your MX Records to the Edge Transport Server
■ Deploying Multiple Edge Transport Servers
in the Organization
˛ Summary
˛ Solutions Fast Track
˛ Frequently Asked Questions
Managing the
Edge Transport
Server
Trang 2The Exchange Product Group developed the edge transport server to give enterprises powerful out-of-the-box protection against spam without needing to go out and invest in a third-party
solution The messaging hygiene features in the Edge Transport server role are agent based and consists of multiple fi lters that are frequently updated
Although the primary role of the edge transport server is to route mail and do message hygiene,
it also includes features that will let you do other things, such as rewriting SMTP addresses,
confi guring transport rules, and enabling journaling and associated disclaimers
After reading this chapter you will have learned what the edge transport server is all about; you will be aware of how an edge transport server is properly deployed as well as know how to confi gure most of the features available with this server role
NOTE
Exchange 2007 also includes a new feature called Domain Security, which provides
a set of functionality that offers a low-cost alternative to S/MIME or other message-level security solutions The purpose of the Domain Security feature set is to provide administrators a way to manage secured message paths over the Internet with business partners
Deploying the Edge Transport Server Role
The Edge Transport server role in Exchange Server 2007 is meant to be installed in your organization’s
perimeter network (also called a demilitarized zone [DMZ] or screened subnet) This server role supports
Simple Mail Transfer Protocol (SMTP) routing (more specifi cally, SMTP-relay and Smart Host functionality) and provides several antispam fi ltering agents and support for antivirus extensibility The edge transport server is the only server role that shouldn’t be part of your Active Directory directory service forest; it should instead be installed on a stand-alone server in a workgroup as shown in Figure 7.1
Although the Edge Transport server role is isolated from Active Directory, it’s still able to
communicate with the Active Directory using a collection of processes known as EdgeSync, which runs on the hub transport server Since it is part of the Active Directory, the Hub Transport
server has access to the necessary Active Directory data The edge transport server uses Active
Directory Application Mode (ADAM) to store the required Active Directory data, which is data such as accepted domains, recipients, safe senders, send connectors, and a hub transport server list (used to generate dynamic connectors so that you don’t need to create them manually)
Trang 3SOME INDEPENDENT ADVICE
Although the Edge Transport server role has been designed to provide improved
antispam and antivirus protection for an Exchange 2007 environment, you can
deploy this server role in an existing Exchange 2003 organization as well Since you
install the Edge Transport server role on a stand-alone machine in the perimeter
network (the DMZ or screened subnet), this is even a relatively simple task Even
though you would be able to use the Edge Transport server role as a smart host or
an SMTP relay server in an Exchange 2003 environment, you will not be able to
replicate confi guration and recipient data from Active Directory to ADAM,
because this requires an Exchange 2007 hub transport server This doesn’t hinder you from using the fi ltering agent that doesn’t rely on the EdgeSync service If you use
the Intelligent Message Filter (IMF) only in your Exchange 2003 environment,
deploying an edge transport server in the perimeter network (the DMZ or screened subnet) would make sense because it would provide an additional layer of antispam protection You could also install ForeFront for Exchange Server 2007 on the edge
transport server so that you could fi lter out antivirus messages as well
Figure 7.1 A Typical Edge Transport Server Scenario
Firewall
Perimeter Network
Firewall
SMTP Server SMTP Server
Internal Network
Internet
Edge Transport
Client Access
Hub Transport
Mailbox
It’s important to understand that the EdgeSync replication is encrypted by default and that
the replication is a one-way process from Active Directory to ADAM This means that no data is
replicated from ADAM to AD
The fi rst time that EdgeSync replication occurs, the ADAM store is populated, and after that, data from Active Directory is replicated at fi xed intervals You can specify the intervals or use the default
settings, which, for confi guration data, is every hour and every fourth hour for recipient data
Trang 4The edge transport server has its own Jet database to process the delivery of inbound as well as outbound e-mail messages When inbound e-mail messages are stored in the Jet database and are ready for delivery, the edge transport server looks up the respective recipient(s) in the ADAM store, which, as mentioned, among other things contains recipient data replicated from the Active Directory using the EdgeSync service
In a scenario in which you have deployed multiple edge transport servers in your organization, the edge transport servers use DNS round robin (which is supported by most DNS servers today)
to network and load-balance network traffi c between the servers
Prerequisites
The Exchange 2007 Edge Transport server role can be installed on either a Windows 2003 Server R2 Standard Edition or Windows 2003 Server SP1 Standard Edition As already mentioned, it’s important that you install the Edge Transport server role on a standalone machine outside the Active Directory forest, since installing this server role on a server that is member of Active Directory isn’t supported, nor it would be a good idea, since doing so would introduce a major security risk
Since the Edge Transport server should be deployed in the perimeter network (the DMZ or screened subnet), it’s recommended that you use a multihomed setup, meaning that the server has two network adapters: one connected to the perimeter network and one to the internal network This will give you the option of specifying the ports and/or services that should be allowed on each adapter For example, we want to allow LDAP replication from only the internal network when we show you how to confi gure the Security Confi guration Wizard (SCW) later in this chapter But the choice is yours, really, since an edge transport server will work just fi ne using a single network adapter as well, albeit in a less secure way
Creating a DNS Suffi x
Before you can install the Exchange 2007 Edge Transport server role on the server, you should make sure that you have created a DNS suffi x, because you cannot change the server name once the server role has been installed In addition, the readiness check will fail if a DNS suffi x cannot be located Creating the DNS suffi x is a very simple process, performed via the following steps:
1 Log onto the edge transport server with the Administrator account or another account with administrator permissions
2 Click Start, right-click My Computer, and select Properties in the context menu.
3 Now click the Computer Name tab and then click the Change button (see Figure 7.2).
Trang 5Figure 7.2 The Computer Name Tab
4 Click the More button
5 Now enter the respective DNS suffi x (see Figure 7.3) and then click OK four times.