On the Confi rm Service Chances page, verify that the service confi guration for each service is set as expected, as shown in Figure 7.55 and click Next.. You have now reached the Networ
Trang 111 You’ll now need to decide how unspecifi ed services (which basically are services not in the database yet) should be handled You can choose to leave the startup mode as it is or have
the service disabled We recommend that you select Disable the service and then enable
it manually should it be required When you have decided how you would like unspecifi ed
services to be handled, click Next.
12 On the Confi rm Service Chances page, verify that the service confi guration for each
service is set as expected, as shown in Figure 7.55 and click Next.
Figure 7.55 Confi rming Service Changes
13 You have now reached the Network Security section of the SCW, which is where you’ll
confi gure inbound ports using the Windows fi rewall based on the roles and administration options selected on the previous pages In addition, this is where you can restrict access
to ports and indicate whether port traffi c is signed or encrypted using IPSec It’s very
important that you confi gure this portion correctly, since answering the questions
Trang 2Figure 7.56 Adding the Respective Ports
incorrectly might prevent the edge transport server from communication with the servers
it’s required to communicate with Click Next.
14 On the Open Ports and Approve Applications page, you need to pay special attention
As you read earlier in this chapter, the Edge Transport server will need to replicate data from Active Directory to the local ADAM store at a scheduled set of intervals Because this
is done using LDAP via port 50389 and 50636, you need to add both these ports on
this page To do so, click the Add button shown in Figure 7.56.
15 On the Add Port or Application page, enter 50389 in the port number fi eld, check
TCP, and click OK (see Figure 7.57).
16 Repeat Step 15, but enter port 50636 instead Click OK.
Trang 3Figure 7.57 Adding the LDAP Port
NOTE
50389 and 50636 are default ports used for LDAP communication between Active
Directory and ADAM, but if you for some reason should require so, you can change them using the ConfigureAdam.ps1 script located in the scripts directory under
C:\Program Files\Microsoft\Exchange This script invokes the dsdbutil command,
which can be used to change the LDAP port, Secure LDAP port, log path, and the
path of the directory database To change the LDAP and Secure LDAP ports used by the Edge Transport server, you would need to open the EMS and navigate to the
Scripts folder under the Exchange directory Here you would need to type
Confi gureAdam.ps1 -ldapport:10389 -sslport:10636 and press Enter This example
would change the LDAP ports to 10389 and 10636, respectively Although you would
be able to manually change the port numbers directly using the registry editor, don’t
do so, since it will make the ADAM instance unavailable
17 Select the newly added port 50389 in the list and click the Advanced button.
18 Click the Local Interface Restrictions tab and select Over the following interfaces
Check the network adapter connected to the internal network and click OK.
19 Repeat Steps 17 and 18 for port 50636.
20 Now click Next and confi rm the port confi guration settings Click Next again.
Trang 4Figure 7.58 Security Policy Filename
21 You have now reached the Registry Settings section in the SCW, and since you can skip this section, check Skip this section and click Next Do the same on the Audit Policy page and click Next.
22 Now that you’re through all the security confi guration settings, it’s time to save and apply
the security policy On the Save Security Policy page, click Next.
23 On the Security Policy Filename page, type a name for the policy and a description of
the policy (this is optional) Click Next (see Figure 7.58).
NOTE
If you have enabled and allowed Remote Desktop connections to the Edge Transport server, we also recommend that you do Steps 17 and 18 for 3389 (Remote Desktop Protocol) This will block any connection attempts on port 3389 from external sources
Trang 524 You will now be informed that applying this security policy to the selected server will
require a reboot after the policy is applied This is required for the confi gured applications or
services to run properly Click OK, select Apply Now, and click Next (see Figure 7.59).
25 When the security policy has been applied, click Next and fi nally Finish to exit the SCW.
26 Reboot the server and verify that everything works as expected (mail fl ow, EdgeSync
replication, Remote Desktop, and so on)
Figure 7.59 Applying the Security Policy
NOTE
If you’re planning to deploy multiple Edge Transport servers in your perimeter network (DMZ or screened subnet), you can easily copy this Edge Transport server security policy XML fi le to the rest of the edge transport servers and apply it using the SCW