Exchange 2010 deployment
Microsoft Exchange 2010 is the latest release of Microsoft messaging technology family. Microsoft Exchange Server 2010 brings a new and improved technologies, features, and services to the messaging technology product line. Exchange 2010 is role based deployment as Exchange Hub Transport, Exchange Client Access Server, Exchange Unified Messaging, Exchange Edge Transport and Exchange Mailbox. Each of these roles are significant when you planning to upgrade or new deployment. Careful selection and placement of servers in different part of corporate infrastructure is highly crucial. You have plan ahead to deploy exchange farms. Exchange 2010 brings HA, new transport and routing, Exchange Anywhere, protection and greater compliance with corporate networks. Exchange can be deployed under so many firewall and security topology. It is highly important that you consider great deal of time to design and deploy firewall and security for Exchange. In this article, I am going to describe several firewall scenario of exchange deployment. I reckon, you might be bombarded with spam without this a wonder device i.e. Cisco IronPort. So I put greater emphasis on Cisco IronPort C series and M series firewall and Anti-spam devices on each of my diagram. Cisco IronPort is a proven technology to manage and counter act against Anti-spam, content filter and Antivirus.
Edge Firewall: This scenario allows users to access OWA from extranet to intranet. However, OWA is placed in internet network. The communication from the extranet is encrypted and the communication in the intranet is not encrypted. The firewall technology used is based on Microsoft ISA Server 2006 or Forefront TMG 2010 and the Microsoft Exchange OWA, Anywhere are published to the extranet by using the web site publishing feature of Microsoft ISA Server 2006 or TMG. The authentication of the extranet users used is Windows Authentication. This type of deployment uses two NICs of TMG server. One designated to external and another one designated for internal. A small business can deploy this type of firewall for exchange. This is not a recommended deployment big organisation.
Back to Back Firewall: This configuration requires two ISA Server 2006 or Forefront TMG 2010 installations on two separate servers with two distinct network adapters each that are configured to communicate with the Internet, the Perimeter network and the Internal network. When configuring ISA Server 2006 or TMG , the range of IP addresses used by the Internet, perimeter and internal networks have to be specified as well as the Firewall Policy rules that govern the communication rules between each network. This is done in two steps that target the front firewall and then the back firewall.
Important! A front-end server is a specially configured server running either Exchange Server2003 or Exchange 2000 Server software. A back-end server is a server with a standard configuration. There is no configuration option to designate a server as a back-end server. The term "back-end server" refers to all servers in an organization that are not front-end servers after a front-end server is introduced into the organization.
3-Leg Perimeter or DMZ firewall: This configuration requires ISA Server 2006 or Forefront TMG 2010 installation on a server(s) with three distinct network adapters that are configured to communicate with the Internet, the Perimeter network and the Internal network. When configuring ISA Server 2006 or TMG , the range of IP addresses used by the Internet, perimeter and internal networks have to be specified as well as the Firewall Policy rules that govern the communication rules between each network.
3-Leg Perimeter or DMZ firewall with a Domain Controller in Perimeter: This is similar scenario as mentioned above. However, a DC with GC role placed in DMZ. An external trust created between external DC and internal DC. Specific ports are open in firewall to communicate between two domains. In this deployment, internal domain(s) aren’t exposed to perimeter. Users can access OWA, ActiveSync and Outlook Anywhere from extranet securely.
Conclusion: DMZ is the recommended topology for the following reasons:
- It provides security by isolating intruders from the rest of the network.
- It provides application protocol filtering.
- It performs additional verification on requests before it proxies them to the internal network.
Further Help:
Dell Exchange Web Advisor
HP Sizer for Microsoft Exchange Server 2010
Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step
Exchange 2010 Deployment Assistant
Exchange 2003 – Planning Roadmap for Upgrade and Coexistence
Exchange 2007 – Planning Roadmap for Upgrade and Coexistence
How to configure a domain member in DMZ by Dr. Thomas Shinder
Deploying domain controllers in a DMZ-TechRepublic Article
How to configure Exchange 2010 Hub Transport (HT) Server
How to configure Exchange 2010 Client Access Server (CAS) Role
Step by Step Guide on Exchange Server 2010 Edge Transport Role
Understanding Disjoint Namespace Scenarios
How to configure Exchange 2010 Hub Transport (HT) Server
Hub Transport server role manages all mail flow inside the organization, applies transport rules, applies journaling policies and delivers messages to a recipient’s mailbox. Hub Transport server is placed internal network with an Active Directory Forrest. Messages that are sent to the Internet are relayed by the Hub Transport server to the Edge Transport server role that’s deployed in the perimeter network. Messages that are received from the Internet are processed by the Edge Transport server before they’re relayed to the Hub Transport server. If you don’t have an Edge Transport server, you can configure the Hub Transport server to relay Internet messages directly or utilize a third-party smart host. You can also install and configure the Edge Transport server agents on the Hub Transport server to provide anti-spam and antivirus protection inside the organization. It is best practice to keep two separate servers for HT and ET roles.
You must deploy a Hub Transport server role in each Active Directory site that contains a Mailbox server role. Deploying more than one Hub Transport server per site provides redundancy. When you install more than one Hub Transport server in an Active Directory site, the connections are distributed. HT server or HT servers read Active Directory for user authorization. That means you can deploy Single Sign on (SSO) in your organization.
To configure HT and ET, DNS record maintaining is vital part. The Edge Transport server queries the configured external DNS servers to find the DNS records that are required to deliver the message. The DNS servers that are configured for external DNS lookups are queried in the order in which they’re listed. If one of the DNS servers is unavailable, the query goes to the next DNS server on the list. The DNS servers are queried for the following information:
Mail exchange (MX) records for the domain part of the external recipient. The MX record contains the fully qualified domain name (FQDN) of the messaging server that’s responsible for accepting messages for the domain, and a preference value for that messaging server. To optimize fault tolerance, most organizations use multiple messaging servers and multiple MX records that have different preference values.
Address (A) records for the destination messaging servers. Every messaging server that’s used in an MX record should have a corresponding A record. The A record is used to find the IP address of the destination messaging server. The subscribed Edge Transport server uses the IP address to open an SMTP connection with the destination messaging server. The required combination of iterative DNS queries and recursive DNS queries that start with a root DNS server is used to resolve the FQDN of the messaging server that’s found in the MX record into an IP address.
In HT server or HT servers, you must obtain certificates from a Windows Enterprise Root Certificate Authority before you start installing HT role.
Prepare Windows Server 2008 x64
Install windows Features:
Windows Server 2008 x64 SP 2 or Windows Server 2008 R2
HT server must be a member of Active Directory Domain
Microsoft .NET Framework 3.5
WCF Activation
Windows Remote Management 2.0
Windows PowerShell V2
Active Directory Lightweight Directory Services (AD LDS)
Net TCP port sharing services started and automatic start-up
Microsoft Office Filter Pack installed.
Computer Certificate and web certificates installed
