1 / 43

MSG307 Exploring Exchange 2003 Deployment Topologies

MSG307 Exploring Exchange 2003 Deployment Topologies. Kieran McCorry Principal Consultant Technology Leadership Group Hewlett-Packard Company. Agenda . Exchange Server 2003 OWA Publishing Exchange Server 2003 RPC over HTTP Multi-Forest Deployments Branch office deployment scenarios

lexiss
Download Presentation

MSG307 Exploring Exchange 2003 Deployment Topologies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MSG307Exploring Exchange 2003 Deployment Topologies Kieran McCorry Principal Consultant Technology Leadership Group Hewlett-Packard Company

  2. Agenda • Exchange Server 2003 OWA Publishing • Exchange Server 2003 RPC over HTTP • Multi-Forest Deployments • Branch office deployment scenarios • Datacenter platform scaling • Recipient update service • Perimeter security and anti-spam measures

  3. Exchange 2003 OWA • Exchange 2003 OWA topology identical to Exchange 2000 OWA topology • Front End server proxies connections to Back End server • No mailboxes hosted on Front End server • Connections proxied to Back End server • External access configuration is key • Two main approaches • Front End server in DMZ • Front End server in internal network (recommended)

  4. Exchange 2003 Back End DC/GC OWA Front End in DMZ • Front End in DMZ requires “Swiss cheese” firewall • Inherently insecure 80: HTTP 389: LDAP 3268: LDAP 88: Kerberos (UDP/TCP) 80/443 53: DNS (UDP/TCP) Front End Server 135: RPC Port Mapper OWA Client 1127: AD Svc 445: Netlogon SMB Internet DMZ Internal Network External Firewall Internal Firewall

  5. Exchange 2003 Back End DC/GC OWA Front End in Internal • Proxy server simply forwards packets to Front End server • Much more secure • Can do SSL termination at Proxy 80/443 80/443 ISA Server (or generic proxy) Front End Server OWAClient Internet DMZ Internal Network External Firewall Internal Firewall

  6. ISA Server 2000 Config • Two approaches to presenting OWA access to Internet clients • Server Publishing/SSL Tunneling • Web Publishing/SSL Bridging • Web Publishing (recommended) • ISA Server (possibly with help of SSL accelerator) acts as intermediate endpoint • Forwards packets on to Front End server

  7. ISA Server 2000 FP • OWA Publishing Wizard

  8. RPC over HTTP (1 of 2) • Use Outlook to connect to corporate email over the Internet • No need for VPN or OWA • RPC over HTTP • Needs Windows XP SP1 and Outlook 2003 on client • And 331320 post-SP1 hotfix • Needs Windows 2003 on all participating servers • Exchange Servers, DCs, GCs • Requires IIS 6.0 WPIM mode • Requires MAPI Profile Update

  9. RPC over HTTP (2 of 2) • Architecture • Supports both Front End/Back End model and single server implementation • Front End server acts as RPC Proxy server (component of Windows 2003) • Client makes HTTP connection to remote RPC Proxy • RPC proxy connects to Back End server and DCs/GCs (can be configured across firewalls) • Performance is slower than normal access: no figures yet

  10. Recommended Config • Generic proxy server in DMZ (can be ISA) • Dynamic port assignment from RPC Proxy • Most secure topology; least configuration Global Catalog 80/443 80/443 ISA Server Exchange 2003 Back End RPC Proxy Outlook Client Domain Controller Internet DMZ Internal Network External Firewall Internal Firewall

  11. RPC over HTTP RPC Proxy Configuration • Configure Windows 2003 server to proxy RPCs • Use Add Programs to install RPC over HTTP Proxy Networking Service • Configure RPC Virtual Directory in IIS • IIS Manager/Web Sites/Default Web Site/RPC Virtual Directory properties • Directory Security/Authentication and Access Control • Disable “Anonymous,” Enable “Integrated Windows Authentication”

  12. RPC over HTTP Port Config • On Windows 2003 RPC Proxy Server • Configure ports • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy\ValidPorts • Enter the NetBIOS and FQDN name and port information for every server with which the RPC proxy will communicate that participates in RPC Proxy • <BackEndServer>:593;<BackEndServer>:6000-6004; • <DCServer>:593;<DCServer>:6000-6004; • RPC Proxy does not use DSAccess to locate DCs and GCs

  13. Alternate Config for RPC Proxy • No Generic proxy; RPC Proxy in DMZ • Restricted port assignment from RPC Proxy • Less secure topology, more administrative configuration Global Catalog 80/443 Exchange 2003 Back End RPC Proxy Outlook Client Domain Controller Internet DMZ Internal Network External Firewall Internal Firewall

  14. RPC over HTTP Port Restrictions • Configure RPC Proxy Server to communicate with Back Ends/DCs/GCs • Configure every Back End Server/DCs/GCs to communicate with RPC Proxy Server • Establish restricted port range, for • RPC Proxy to Back End server communication • RPC Proxy to DC/GC server communication • Back End server to RPC Proxy communication • DC/GC server to RPC Proxy communication

  15. RPC over HTTP BE Port Config(1 of 3) • RPC Back End Server • Configure DS Proxy port through new registry key • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters • HTTP Port • DWORD • Value: 6003 (decimal)

  16. RPC over HTTP BE Port Config(2 of 3) • RPC Back End Server • Configure ports with new registry key • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters • RPC/HTTP NSPI Port • DWORD • Value: 6003 (decimal)

  17. RPC over HTTP BE Port Config(3 of 3) • RPC Back End Server • Configure ports with new registry key • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem • RPC/HTTP Port • DWORD • Value: 6001 (decimal)

  18. RPC over HTTP DC/GC Port Config • DC/GC Server • Configure ports with new registry key • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters • NSPI interface protocol sequences • Multi String value • Value: ncacn_http:6004

  19. RPC over HTTP MAPI Profile • Configure MAPI profile for RPC over HTTP access • After applying the hotfix • Enter the URL for the RPC Proxy server (or ISA server)

  20. Multi Forest Deployments • Messaging between Forests • Through SMTP connector • Point-to-point between forests • Through switch or smarthost • Switch may require directory population • Still need a connector to switch • Assume separate SMTP namespaces for each forest • Can use X.400 too! • May help with SMTP naming conflicts when same SMTP domain used for all forests • Can accept SMTP inbound from internet and connect forests with x.400

  21. Contacts from Forest 2 Contacts from Forest 1 Basic Synchronization • Directory Synchronization Required • Peer-to-Peer OK for two Forests • Metadirectory required for multiple Forests Forest 2 Forest 1 Forest 1 users Forest 2 users

  22. E-mail addresses SMTP: user2.last2@f2.com X.400: sn=last2, gn=user2,o=f2org, <GDI> E-mail addresses SMTP: user1.last1@f1.com X.400: sn=last1, gn=user1,o=f1org, <GDI> Detailed Results Forest 1 Forest 2 E-mail addresses SMTP: user1.last1@f1.com X.400: sn=last1, gn=user1,o=f1org, <GDI> (also has a DN) E-mail addresses SMTP: user2.last2@f2.com X.400: sn=last2, gn=user2,o=f2org, <GDI> (Also has a DN)

  23. Client uses the smtp address Contacts from Forest 2 Contacts from Forest 1 Mail Sent within Forest Client uses the DN (x.500) address Forest 2 Forest 1 Forest 1 users Forest 2 users

  24. Branch Office Deployment • New features in Windows 2003, Exchange 2003, and Office 2003 make branch office deployments simpler • Improved AD replication performance • DCpromo promote from media • Link State Update controls • Outlook cache mode and synchronization support • OWA and RPC over HTTP improvements • Easy solutions for `remote’ branch offices • No connection to Schema Master during installation

  25. Support for tens or hundreds of thousands of users Clustering is now a much more workable solution Eight-node clustering No Windows Datacenter requirements RAIS is an alternative to clusters Servers booting from SANs Great for “failover“ Connector, Front End, DC, and GC servers better with locally-attached storage Active user ratios tend towards 10% to 15% Users per server often dictated by storage limits rather than by machine performance Keep databases under 40GB, unless you use VSS Separate Windows 2003 sites for Exchange and GCs from general servers Performance Tuning crucial /3GB boot switch ESE Virtual Memory Connector server file handles Connector file locations Exchange 2003 in the Datacenter: General Observations

  26. SMTP Relay Servers • Reconfigure file storage for SMTP relays • Use ADSI Edit or LDP on Exchange 2000 to modify path for • msExchSmtpBadMailDirectory • msExchSmtpPickupDirectory • msExchSmtpQueueDirectory • Exchange 2003 provides GUI

  27. Hosting and Address Books (1 of 2) • Recipient Update Service • Maintains Address Lists by populating attributes for mail-enabled objects • At least one RUS per domain • Plus one for the Enterprise • Use more to ensure timely creation of objects

  28. Hosting and Address Books (2 of 2) • Administrator can disable RUS functionality and update objects manually (see 296479) • Better Address List maintenance • Maintain these for mail-enabled objects • legacyExchangeDN, proxyAddresses, textEncodedORAddress, mail, mailNickname, displayName (and targetAddress for contacts) • And additionally these for mailbox-enabled users • msExchHomeServerName, homeMDB, homeMTA, msExchUserAccountControl, msExchMasterAccountSid, msExchMailboxGuid

  29. Controlling Access to Address Lists in Hosted Environments(1 of 2) • For OWA users • Access to GAL controlled by msExchQueryBaseDN • Set to an OU or an Address List • For MAPI users, we have more configuration • Control access to users in OUs (possibly one OU per hosted company?) • Allocate users to Security Groups • Create Address Lists per company • Example: (&(objectCategory=user)(userPrincipalName=*@acme.com)) • Control permissions to Address Lists • Deny default access and only permission the respective group

  30. Controlling Access to Address Lists in Hosted Environments(2 of 2) • The Domain RUS is responsible for maintaining Address List membership • Executes whenever a mail-enabled object is modified • Can bypass it and manually control population of “showInAddressBook” attribute

  31. Exchange and Directory Access • DSAccess and DSProxy • Outlook 2000 SR2 and higher use referral, not proxy • Use DSAccess to identify working GCs • Does not use the DSAccess Recipient cache • DSAccess initialization completes in 1 minute or stops • Control with HKLM\System\CCS\Services\MSExchangeDSAccess\TopoCreateTimeOutSecs • Three key roles • Configuration DC • High perf DC on same LAN, used for 8 hours at most • Working DCs, Working GCs

  32. How DSAccess Discovers AD Topology • Open LDAP connection to local ‘bootstrap’ DC • Search for local DCs and GCs • Determine server suitability • Search to identify secondary sites • Lowest Site Link cost to highest • Lowest cost sites in secondary topology list • Search to identify DCs and GCs in secondary topology sites • Compile list of working DCs and GCs

  33. How DSAccess Determines Server Suitability • Tries to connect to server over port 389 or 3268 • 2-second limit • Reads Security Descriptor of Configuration Naming Context • Checks if DomainPrep has been run • Checks if AD has been synchronized • Issues DSGetDCName RPC Netlogon check • Disables if traversing a firewall • Checks DNS weights and priorities • Checks for FSMO PDC role owner • Not other roles

  34. Controlling Server Interaction • Static mapping of NSPI Interface and RFR (Referral) interface process with clients • HKLM\System\CCS\Services\MSExchangeSA\Parameters • TCP/IP NSPI Port • TCP/IP Port • On GCs NSPI port statically mapped with • HKLM\System\CCS\Services\NTDS\Parameters • TCP/IP Port • For Exchange Server in DMZ and GC on internal network • HKLM\System\CCS\Services\MSExchangeDSAccess • DisableNetLogonCheck = 1 • LdapKeepaliveSecs = 0

  35. Exchange 2003 Connection Filtering (1 of 2) • Exchange provides connection filtering with Blacklist support • Example: IP address of SMTP source is looked up against BL provider • Mail from 62.190.247.12 • 12.247.190.62.bad.bl.org • Configure from ESM/Global Settings/Message Delivery • You can specify as many RBL providers as you wish • Best practice is to have 3 or 4 • Specify Open Relay Lists also • Small implementations can use simple lookups • Enterprise deployments should host a local secondary (zone transfer) of the blacklist

  36. Exchange 2003 Connection Filtering (2 of 2) • DNSBL providers returna status code • You can decide to block or not block based on this value • Overrides • Specific recipients • Example: Postmaster • Specific Deny sources • Specific Accept sources • aka., “Whitelist” • Connection Filtering on • Specific senders • Specific recipients • Good DNSBL list at: • http://www.declude.com/junkmail/support/ip4r.htm

  37. Anti-Spam Configurations • Combination of • Perimeter connection blocking and filtering • Internal filtering • DMZ options • Exchange inseparate forest • Postfix • SSM • Internal • Exchange • Content Filtering Internet Inbound SMTP Exchange Relay Server RBL/Filter DMZ Internal Network External Firewall Internal Firewall

  38. Summary (1 of 2) • OWA Publishing Wizard straightforward to use • Recommended configuration uses HTTP proxy in DMZ • For both OWA and RPC over HTTP operation • RPC over HTTP configuration is tricky • Prototype comprehensively • Combined Exchange, Windows, and Outlook new features allow improved branch office deployments • Datacenter deployments also very possible • Be aware of required AD and system tuning modifications

  39. Summary (2 of 2) • Public Folder referral improvements • DSAccess behavioral characteristics • Understand Query-based Distribution Group behaviors and limitations • Employ improved anti-SPAM and content filtering technologies

  40. Community Resources • Community Resources http://www.microsoft.com/communities/default.mspx • Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ • Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx • User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx

  41. Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Microsoft® Exchange Server 2003 Administrator's Companion: 0-7356-1979-4 9/24/03 Active Directory® for Microsoft® Windows® Server 2003 Technical Reference: 0-7356-1577-2 Today • Microsoft Press books are 20% off at the TechEd Bookstore • Also buy any TWO Microsoft Press booksand get a FREE T-Shirt

  42. evaluations

  43. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

More Related