By configuring the Hub Transport role to handle Internet email, you can run Exchange Server 2007 on one physical server
| Executive Summary:|
Microsoft Exchange Server 2007 is designed to work on at least two physical servers. However, if you have a small Exchange Server environment and can’t afford to manage more than one server, you can set up Exchange Server 2007 on just one physical server. To do so, you’ll need to make some configuration changes that enable the Hub Transport server role to handle Internet email. It’s also highly advisable to add a firewall to protect the Mailbox role from security threats.
Microsoft Exchange Server 2007 is geared toward deployment in multiserver environments. By default, it’s designed to work with at least two physical servers: one for the Edge Transport server role, the other for the remaining roles (Hub Transport, Mailbox, Client Access, and Unified Messaging). Although Microsoft highly recommends using Exchange 2007 with at least two physical servers, in certain scenarios you’d want to install and run Exchange 2007 on one machine. For example, a small business might not be able to afford dedicating more than one server to running Exchange.
The good news is, Exchange 2007 can work in a single-server deployment scenario, but to make this happen, you need to perform several configuration steps. To deploy Exchange 2007 in a singleserver environment, you must install three crucial server roles (Hub Transport, Client Access, and Mailbox) on one machine, without installing the Edge Transport role at all. Instead, you need to configure the Hub Transport role to perform the job for both Hub and Edge roles. (Of course, you’ll also need to set up Active Directory—AD, the Global Catalog, and DNS—preferably on a different physical server than the Exchange server.) You’ll also need to be aware of several downsides of single-server deployment. First, in this setup, all Exchange 2007 roles on the server are available from—and exposed to—the Internet, which poses a security risk. (A firewall can mitigate this risk.) Second, having all roles on one Exchange 2007 server makes your server the single point of failure. Finally, because you’ll need to implement antispam and antivirus protection on the Hub Transport role, you should expect more load on the server’s resources. Assuming you’ve addressed these issues, your next step is to learn more about the roles you’ll need to configure for single-server Exchange 2007, then walk through the procedure for setting up those roles.
Role Differences in a Single-Server Environment
When you configure Exchange 2007 on your server, your first task will be to configure the Edge Transport and Hub Transport roles to handle only intra-organizational message traffic. By default, the Hub Transport server role cannot deliver messages to users outside an Exchange organization, nor can it receive messages from outside the organization. Normally, a Hub Transport server can communicate with other Hub Transport servers in the same organization as well as with Mailbox servers and with the Edge Transport server. (For more information about communication among the server roles and how messages flow between servers, see the sidebar “How Messages Move in a Multiserver Exchange 2007 Environment.”)
To enable Exchange 2007 to run in a single-server environment, then, you’ll need to enable the Hub Transport server role to essentially function as an Edge Transport server since no Edge Transport server role is installed. You’ll need to install the three essential server roles—Mailbox, Client Access, and Hub Transport—on the same machine. In very small organizations, this server will probably be a domain controller (DC) also. Since the Hub Transport role by default isn’t configured to work without the Edge Transport, you’ll need to perform these tasks to enable Hub Transport to do the work of an Edge Transport server as well as perform its own Hub Transport functions:
• Enable the Hub Transport role to send messages directly to the Internet.
• Enable the Hub Transport role to receive messages from the Internet.
• Install and enable antispam functionality on the Hub Transport role.
In contrast to the special configuration you’ll need to do for the Hub Transport role, configuration of the Mailbox and Client Access server roles is almost the same as in a multiserver Exchange environment that includes an Edge Transport server. However, in a single-server Exchange 2007 environment, the Mailbox role is far more exposed to potential Internet attacks than in an environment with an Edge Transport server, where the Mailbox and Hub Transport servers aren’t directly connected to the Internet. In a single-server scenario, since the Mailbox server is located with the Hub Transport server (which is configured to work on the Internet) and Client Access server (which hosts Exchange Web services also available from the Internet), there are many more open ports to outside connections. Thus, I highly recommend you use a firewall capable of application-layer filtering. Microsoft ISA Server 2006 is the best choice in this case since it supports Exchange 2007 secure-server publishing. (You can learn more about securing Exchange 2007 with ISA Server in the Web-exclusive article “Securing Exchange Server 2007 Services with ISA Server 2006,” October 2007, InstantDoc ID 96957.) I also strongly recommend running Security Configuration Wizard (SCW) after you install Exchange 2007, to harden your Exchange server’s security. Remember to import the Exchange 2007 template to SCW before running the wizard. Now that you have a handle on the server-role differences, you’re ready to start the actual configuration. This article assumes that you’ve already installed Exchange 2007 on the server.
Configure Hub Transport to Send Email to the Internet
To enable the Hub Transport server role to send messages to the Internet, you’ll need to configure the name-resolution service and the SMTP Send connector. The Hub Transport server role must be able to resolve Internet DNS names based on the recipient’s email address and locate the correct destination SMTP server for message delivery. To enable Internet message delivery, you’ll have to create the Internet SMTP connector on the Hub Transport server. The Send connector represents a logical gateway through which outbound messages are sent. It controls outbound connections from the internal sending server to the external receiving server or destination email system. By default, no explicit Send connectors are created when the Hub Transport server role is installed.
To create the SMTP connector, open Exchange Management Console (EMC), navigate to Organization Configuration, and open Hub Transport. Then click the Send Connectors tab, and in the Actions pane, click New Send Connector.
On the first screen, enter the SMTP connector name (e.g., send to internet) and in the Select the intended use for this connector drop-down list, select Internet. Click Next, and on the Address Space page, click Add. In the Domain field, enter an asterisk (*). By entering this, you’re essentially creating a connector that will send a message to any domain on the Internet. If you want to create a connector for a specific domain, instead of entering *, enter a domain name and the options for that domain.
Click Next, and on the Network tabbed page select an option for name resolution, as Figure 1 shows. The default option is to use DNS MX records to route email. This means that your Exchange server will use the destination domain name to query your locally configured DNS for the IP address of the destination mail server. After that, Exchange will look for the MX record in the destination zone to locate the mail server. At this point, you can also enable mutual authentication by Transport Layer Security (i.e., by selecting the Enable Domain Security… option) if you want to enable mail servers to authenticate to each other before starting communications. However, this option might not work with all Internet mail servers that your Exchange server communicates with, since not all mail servers support this feature.
The second option for name resolution is to route mail through a smart host server. This means that your Hub Transport server simply forwards every message to the specified smart host server (e.g., your ISP’s mail server), which will handle the entire message-delivery process. This is a suitable option when you don’t want to handle name resolution for messages locally (e.g., you don’t want to allow local DNS servers to access the Internet) and have an external mail server available to serve as your smart host. On this page you can also select the Use the External DNS Lookup settings on the transport server option, which lets you use a separate DNS server (or servers), only for sending messages. (To configure these DNS servers’ addresses, you’ll need to use the Set-TransportServer cmdlet.) Click next in EMC, add the source server (since we have only one server, this server is selected new connector. First, set the Fully Qualified Domain Name (FQDN) for the new connector and the protocol-logging level (None or Verbose), as Figure 2. The FQDN is actually the name that your server will use to present itself to other SMTP servers on the Internet; usually this is your mail server’s public FQDN. Next, open the Network tab. On the Network page, you can select the way your server authenticates to the smart host, if you configured one. If not, you’re done here.
Now your Hub Transport server can send messages both internally and to the Internet. At this point, you can try to send a message to someone outside your organization. You should be able to do so; however, you can’t receive messages yet. So, your next step is to configure the Hub Transport server so that it can receive Internet email.
Continue on Page 2
Configure Hub Transport to Receive Internet Email
To enable the Hub Transport server to receive messages from external sources, your first task is to configure an accepted domain for your Exchange organization. An accepted domain is any SMTP domain for which your Exchange server sends or receives email. Accepted domains include those domains for which the Exchange organization is authoritative (i.e., the server handles mail delivery for recipients in that domain) as well as domains for which the Exchange organization receives mail, then relays it to the external mail server. You must configure at least one accepted domain before you can use that SMTP namespace in an email address policy.
To configure the accepted domain, open EMC, navigate to Organization Configuration, open the Hub Transport node, and go to the Accepted Domains tab. Click New Accepted Domain in the Actions pane to start the wizard. On the first page, enter the domain’s name (this will probably be the name of your domain) and FQDN of the accepted domain. When you enter the accepted domain, you can use a wildcard character in the address space, to indicate that all subdomains of the SMTP address space are also accepted by the Exchange organization (e.g., *.microsoft.com will also accept all subdomains of Microsoft.com domain).
Next, select Authoritative Domain, which indicates that your server is responsible for mailboxes in that domain, and click New to create the new accepted domain. You can repeat this procedure for any domain that you want to accept messages for, but make sure that you configure MX records for these domains to point to your mail server.
Now you need to configure the Receive connector. The Hub Transport server has two default receive connectors, but both connectors require authentication. Because you want your Hub Transport server to accept messages directly from the Internet (not from the Edge Transport server), you’ll need to allow an anonymous connection. To do so, open the Server Configuration node, click Hub Transport, and in the middle pane right-click the Default ServerName connector and select Properties. Open the Permission Groups tab and click the Anonymous users check box. Leave the other check boxes as is. Click OK when you’re done.
Note that there’s one more Receive connector, the Client ServerName connector. That connector is configured to work on port 587 and is intended to be used by POP3 and IMAP4 clients for sending messages with TLS authentication. You can easily change this port number by editing the connector’s properties. Don’t allow anonymous connections on this connector.
Enable Antispam Functionality on Hub Transport
Since you aren’t using an Edge Transport server, you have to implement antispam protection on the Hub Transport server role. By default, antispam functionality isn’t installed on the Hub Transport server; you’ll need to use EMS commands to install it. To do so, open EMS, navigate to the folder in which you’ve installed Exchange Server (the default path is C:\Program Files\Microsoft\Exchange Server), then navigate to the Scripts subfolder. Now enter the following command:
Install-AntispamAgents.ps1This command adds antispam functionality to the Hub Transport server. Close EMC and reopen it, open the Organization Configuration node, and click Hub Transport, and you’ll notice a new Anti-spam tab. Click that tab, and you’ll see various features for anti-spam functionality, as Figure 3.
The first capability you should configure here is content filtering. Open the Content Filtering Properties page and click the Action tab. Here’s where you’ll configure actions for messages after they’re assigned a spam confidence level (SCL) value. Three actions are available: delete, reject, and quarantine. I suggest your initial configuration be to delete messages with an SCL of 9, reject messages with an SCL of 8, and quarantine messages with an SCL of 7. In this configuration, messages with an SCL of less than 7 will be delivered to user’s mailbox, as Figure 4. Since Exchange 2007’s built-in spam filter is intelligent and learns over time, after a while you’ll probably want to change those actions to values that better fit your needs.
On this page, you’ll also need to configure a spam mailbox—the mailbox that will hold all quarantined messages. It’s a good idea to create a mailbox solely for this purpose. The administrator should check this mailbox periodically and search for false positives—that is, quarantined messages that should be delivered to users.
Other options on Anti-spam tab let you configure IP allow and IP block lists, if you want to explicitly allow or block certain IP addresses from communicating with your mail server. You can also configure Exchange to receive allow and block lists from external service providers. Additionally, you can configure recipient and sender filtering and Sender ID and sender reputation options. Recipient filtering and sender filtering let you block a specific recipient or sender from receiving or sending messages. Sender ID seeks to verify that every email message originates from the Internet domain from which it claims to have been sent. This is accomplished by checking the address of the server sending the email against a registered list of servers that the domain owner has authorized to send mail. Sender reputation is an antispam functionality designed to block messages according to many sender characteristics. Sender reputation relies on persisted data about the sender to determine what action, if any, Exchange should take on an inbound message.
Ready for Email
Once you’ve verified that AD is working correctly and all Exchange services are functional, you’re ready to start using your Exchange 2007 server to send and receive email. As you’ve seen, installing Exchange 2007 on a single server is feasible if you know what steps to perform and are aware of the configuration differences in this setup as compared with a more typical multiserver Exchange 2007 environment. Although a single-server Exchange 2007 solution can be cost-effective and fully functional, the biggest concern about this type of setup is security, since certain resources, most notably the Mailbox role, are exposed to the Internet. If you’re going to set up a single-server Exchange solution, I also recommend that you implement more than one hard disk in your Exchange server as well as configure local continuous replication for high availability.