Speech Title
Download
Report
Transcript Speech Title
MSG307
Exploring Exchange 2003
Deployment Topologies
Kieran McCorry
Principal Consultant
Technology Leadership Group
Hewlett-Packard Company
Agenda
Exchange Server 2003 OWA Publishing
Exchange Server 2003 RPC over HTTP
Multi-Forest Deployments
Branch office deployment scenarios
Datacenter platform scaling
Recipient update service
Perimeter security and anti-spam
measures
Exchange 2003 OWA
Exchange 2003 OWA topology identical to
Exchange 2000 OWA topology
Front End server proxies connections to
Back End server
No mailboxes hosted on Front End server
Connections proxied to Back End server
External access configuration is key
Two main approaches
Front End server in DMZ
Front End server in internal network
(recommended)
OWA Front End in DMZ
Front End in DMZ requires “Swiss
cheese” firewall
Inherently insecure
80:
HTTP
389: LDAP
3268: LDAP
88: Kerberos
(UDP/TCP)
53: DNS (UDP/TCP)
80/443
Front End
Server
OWA Client
DC/GC
135: RPC Port Mapper
1127: AD Svc
445: Netlogon SMB
Internet
External
Firewall
DMZ
Internal
Firewall
Exchange 2003
Back End
Internal Network
OWA Front End in Internal
Proxy server simply forwards packets to
Front End server
Much more secure
Can do SSL termination at Proxy
DC/GC
80/443
80/443
ISA Server
(or generic proxy)
OWAClient
Front End
Server
Exchange 2003
Back End
Internet
External
Firewall
DMZ
Internal
Firewall
Internal Network
ISA Server 2000 Config
Two approaches to presenting OWA access to Internet
clients
Server Publishing/SSL Tunneling
Web Publishing/SSL Bridging
Web Publishing (recommended)
ISA Server (possibly with help of SSL accelerator) acts as intermediate
endpoint
Forwards packets on to Front End server
ISA Server 2000 FP
OWA Publishing Wizard
RPC over HTTP (1 of 2)
Use Outlook to connect to corporate email
over the Internet
No need for VPN or OWA
RPC over HTTP
Needs Windows XP SP1 and Outlook 2003 on
client
And 331320 post-SP1 hotfix
Needs Windows 2003 on all participating
servers
Exchange Servers, DCs, GCs
Requires IIS 6.0 WPIM mode
Requires MAPI Profile Update
RPC over HTTP (2 of 2)
Architecture
Supports both Front End/Back End model and single
server implementation
Front End server acts as RPC Proxy server
(component of Windows 2003)
Client makes HTTP connection to remote RPC
Proxy
RPC proxy connects to Back End server and
DCs/GCs (can be configured across firewalls)
Performance is slower than normal access: no
figures yet
Recommended Config
Generic proxy server in DMZ (can be ISA)
Dynamic port assignment from RPC Proxy
Most secure topology; least configuration
Global
Catalog
80/443
80/443
ISA Server
Outlook
Client
Exchange
2003 Back
End
RPC Proxy
Domain
Controller
Internet
External
Firewall
DMZ
Internal
Firewall
Internal Network
RPC over HTTP RPC Proxy
Configuration
Configure Windows 2003
server to proxy RPCs
Use Add Programs to install
RPC over HTTP Proxy
Networking Service
Configure RPC Virtual
Directory in IIS
IIS Manager/Web
Sites/Default Web Site/RPC
Virtual Directory properties
Directory
Security/Authentication and
Access Control
Disable “Anonymous,” Enable
“Integrated Windows
Authentication”
RPC over HTTP Port Config
On Windows 2003 RPC Proxy Server
Configure ports
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy\ValidPorts
Enter the NetBIOS and FQDN name and port information for every server with
which the RPC proxy will communicate that participates in RPC Proxy
<BackEndServer>:593;<BackEndServer>:6000-6004;
<DCServer>:593;<DCServer>:6000-6004;
RPC Proxy does not use DSAccess to locate DCs and GCs
Alternate Config for RPC
Proxy
No Generic proxy; RPC Proxy in DMZ
Restricted port assignment from RPC Proxy
Less secure topology, more administrative configuration
Global
Catalog
80/443
Exchange
2003 Back
End
RPC Proxy
Outlook
Client
Domain
Controller
Internet
External
Firewall
DMZ
Internal
Firewall
Internal Network
RPC over HTTP Port
Restrictions
Configure RPC Proxy Server to communicate
with Back Ends/DCs/GCs
Configure every Back End Server/DCs/GCs to
communicate with RPC Proxy Server
Establish restricted port range, for
RPC Proxy to Back End server communication
RPC Proxy to DC/GC server communication
Back End server to RPC Proxy communication
DC/GC server to RPC Proxy communication
RPC over HTTP
BE Port Config (1 of 3)
RPC Back End Server
Configure DS Proxy port through new registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExc
hangeSA\Parameters
HTTP Port
DWORD
Value: 6003 (decimal)
RPC over HTTP
BE Port Config (2 of 3)
RPC Back End Server
Configure ports with new registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExc
hangeSA\Parameters
RPC/HTTP NSPI Port
DWORD
Value: 6003 (decimal)
RPC over HTTP
BE Port Config (3 of 3)
RPC Back End Server
Configure ports with new registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExc
hangeIS\ParametersSystem
RPC/HTTP Port
DWORD
Value: 6001 (decimal)
RPC over HTTP DC/GC
Port Config
DC/GC Server
Configure ports with new registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\
Parameters
NSPI interface protocol sequences
Multi String value
Value: ncacn_http:6004
RPC over HTTP MAPI Profile
Configure MAPI profile for RPC over HTTP access
After applying the hotfix
Enter the URL for the RPC Proxy server (or ISA server)
Multi Forest Deployments
Messaging between Forests
Through SMTP connector
Point-to-point between forests
Through switch or smarthost
Switch may require directory population
Still need a connector to switch
Assume separate SMTP namespaces for each forest
Can use X.400 too!
May help with SMTP naming conflicts when same
SMTP domain used for all forests
Can accept SMTP inbound from internet and connect
forests with x.400
Basic Synchronization
Directory Synchronization Required
Peer-to-Peer OK for two Forests
Metadirectory required for multiple Forests
Forest 1
Forest 2
Forest 1 users
Forest 2 users
Contacts from Forest 2
Contacts from Forest 1
Detailed Results
Forest 1
Forest 2
E-mail addresses
E-mail addresses
SMTP: [email protected]
SMTP: [email protected]
X.400: sn=last1, gn=user1,o=f1org,
<GDI>
X.400: sn=last2, gn=user2,o=f2org,
<GDI>
(also has a DN)
(Also has a DN)
E-mail addresses
E-mail addresses
SMTP: [email protected]
SMTP: [email protected]
X.400: sn=last2, gn=user2,o=f2org,
<GDI>
X.400: sn=last1, gn=user1,o=f1org,
<GDI>
Mail Sent within Forest
Client uses the smtp address
Client uses the DN (x.500) address
Forest 1
Forest 2
Forest 1 users
Forest 2 users
Contacts from Forest 2
Contacts from Forest 1
Branch Office Deployment
New features in Windows 2003, Exchange 2003,
and Office 2003 make branch office deployments
simpler
Improved AD replication performance
DCpromo promote from media
Link State Update controls
Outlook cache mode and synchronization support
OWA and RPC over HTTP improvements
Easy solutions for `remote’ branch offices
No connection to Schema Master during installation
Exchange 2003 in the Datacenter:
General Observations
Support for tens or hundreds
of thousands of users
Clustering is now a much more
workable solution
Eight-node clustering
No Windows Datacenter
requirements
RAIS is an alternative to
clusters
Servers booting from SANs
Great for “failover“
Connector, Front End, DC,
and GC servers better with
locally-attached storage
Active user ratios tend towards
10% to 15%
Users per server often dictated
by storage limits rather than by
machine performance
Keep databases under
40GB, unless you use VSS
Separate Windows 2003 sites
for Exchange and GCs from
general servers
Performance Tuning crucial
/3GB boot switch
ESE Virtual Memory
Connector server file
handles
Connector file locations
SMTP Relay Servers
Reconfigure file storage for
SMTP relays
Use ADSI Edit or LDP on
Exchange 2000 to modify path
for
msExchSmtpBadMailDirectory
msExchSmtpPickupDirectory
msExchSmtpQueueDirectory
Exchange 2003 provides GUI
Hosting and Address Books (1 of
2)
Recipient Update Service
Maintains Address Lists by populating
attributes for mail-enabled objects
At least one RUS per domain
Plus one for the Enterprise
Use more to ensure timely creation of objects
Hosting and Address Books (2 of
2)
Administrator can disable RUS functionality and update
objects manually (see 296479)
Better Address List maintenance
Maintain these for mail-enabled objects
legacyExchangeDN, proxyAddresses,
textEncodedORAddress, mail, mailNickname,
displayName (and targetAddress for contacts)
And additionally these for mailbox-enabled users
msExchHomeServerName, homeMDB, homeMTA,
msExchUserAccountControl,
msExchMasterAccountSid, msExchMailboxGuid
Controlling Access to Address Lists
in Hosted Environments (1 of 2)
For OWA users
Access to GAL controlled by msExchQueryBaseDN
Set to an OU or an Address List
For MAPI users, we have more configuration
Control access to users in OUs (possibly one OU per hosted
company?)
Allocate users to Security Groups
Create Address Lists per company
Example:
(&(objectCategory=user)(userPrincipalName=*@acme.com))
Control permissions to Address Lists
Deny default access and only permission the respective group
Controlling Access to Address Lists
in Hosted Environments (2 of 2)
The Domain RUS is responsible for maintaining
Address List membership
Executes whenever a mail-enabled object is
modified
Can bypass it and manually control population of
“showInAddressBook” attribute
Exchange and Directory Access
DSAccess and DSProxy
Outlook 2000 SR2 and higher use referral, not proxy
Use DSAccess to identify working GCs
Does not use the DSAccess Recipient cache
DSAccess initialization completes in 1 minute or stops
Control with
HKLM\System\CCS\Services\MSExchangeDSAccess\TopoCre
ateTimeOutSecs
Three key roles
Configuration DC
High perf DC on same LAN, used for 8 hours at most
Working DCs, Working GCs
How DSAccess Discovers AD
Topology
Open LDAP connection to local ‘bootstrap’ DC
Search for local DCs and GCs
Determine server suitability
Search to identify secondary sites
Lowest Site Link cost to highest
Lowest cost sites in secondary topology list
Search to identify DCs and GCs in secondary
topology sites
Compile list of working DCs and GCs
How DSAccess Determines
Server Suitability
Tries to connect to server over port 389 or 3268
2-second limit
Reads Security Descriptor of Configuration Naming
Context
Checks if DomainPrep has been run
Checks if AD has been synchronized
Issues DSGetDCName RPC Netlogon check
Disables if traversing a firewall
Checks DNS weights and priorities
Checks for FSMO PDC role owner
Not other roles
Controlling Server Interaction
Static mapping of NSPI Interface and RFR
(Referral) interface process with clients
HKLM\System\CCS\Services\MSExchangeSA\Paramete
rs
TCP/IP NSPI Port
TCP/IP Port
On GCs NSPI port statically mapped with
HKLM\System\CCS\Services\NTDS\Parameters
TCP/IP Port
For Exchange Server in DMZ and GC on internal
network
HKLM\System\CCS\Services\MSExchangeDSAccess
DisableNetLogonCheck = 1
LdapKeepaliveSecs = 0
Exchange 2003 Connection Filtering (1 of 2)
Exchange provides connection
filtering with Blacklist support
Example: IP address of SMTP
source is looked up against BL
provider
Mail from 62.190.247.12
12.247.190.62.bad.bl.org
Configure from ESM/Global
Settings/Message Delivery
You can specify as many RBL
providers as you wish
Best practice is to have 3 or 4
Specify Open Relay Lists also
Small implementations can use
simple lookups
Enterprise deployments should host
a local secondary (zone transfer) of
the blacklist
Exchange 2003 Connection Filtering
2)
DNSBL providers return
a status code
You can decide to block
or not block based on this value
Overrides
Specific recipients
Example: Postmaster
Specific Deny sources
Specific Accept sources
aka., “Whitelist”
Connection Filtering on
Specific senders
Specific recipients
Good DNSBL list at:
http://www.declude.com/junkmail/support/ip4r.htm
(2 of
Anti-Spam Configurations
Combination of
Perimeter connection blocking and filtering
Internal filtering
DMZ options
Exchange in
separate forest
Postfix
Internet
SSM
Inbound
SMTP
Internal
Exchange
Relay Server
RBL/Filter
Exchange
Content Filtering
External
Firewall
DMZ
Internal
Firewall
Internal Network
Summary (1 of 2)
OWA Publishing Wizard straightforward to use
Recommended configuration uses HTTP proxy in DMZ
For both OWA and RPC over HTTP operation
RPC over HTTP configuration is tricky
Prototype comprehensively
Combined Exchange, Windows, and Outlook new
features allow improved branch office deployments
Datacenter deployments also very possible
Be aware of required AD and system tuning modifications
Summary (2 of 2)
Public Folder referral improvements
DSAccess behavioral characteristics
Understand Query-based Distribution Group
behaviors and limitations
Employ improved anti-SPAM and content filtering
technologies
Community Resources
Community Resources
http://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)
http://www.mvp.support.microsoft.com/
Newsgroups
Converse online with Microsoft Newsgroups, including Worldwide
http://www.microsoft.com/communities/newsgroups/default.mspx
User Groups
Meet and learn with your peers
http://www.microsoft.com/communities/usergroups/default.mspx
Suggested Reading And Resources
The tools you need to put technology to work!
TITLE
Microsoft® Exchange Server 2003
Administrator's Companion: 07356-1979-4
Active Directory® for
Microsoft® Windows® Server
2003 Technical Reference: 07356-1577-2
Available
9/24/03
Today
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
evaluations
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.