Executive Summary: Microsoft Exchange Server 2007 is designed to work on at least two physical servers. However, if you have a small Exchange Server environment and can’t afford to manage more than one server, you can set up Exchange Server 2007 on just one physical server. To do so, you’ll need to make some configuration changes that enable the Hub Transport server role to handle Internet email. It’s also highly advisable to add a firewall to protect the Mailbox role from security threats. |
Microsoft Exchange Server 2007 is geared toward deployment in multiserver environments. By default, it’s designed to work with at least two physical servers: one for the Edge Transport server role, the other for the remaining roles (Hub Transport, Mailbox, Client Access, and Unified Messaging). Although Microsoft highly recommends using Exchange 2007 with at least two physical servers, in certain scenarios you’d want to install and run Exchange 2007 on one machine. For example, a small business might not be able to afford dedicating more than one server to running Exchange.
The good news is, Exchange 2007 can work in a single-server deployment scenario, but to make this happen, you need to perform several configuration steps. To deploy Exchange 2007 in a singleserver environment, you must install three crucial server roles (Hub Transport, Client Access, and Mailbox) on one machine, without installing the Edge Transport role at all. Instead, you need to configure the Hub Transport role to perform the job for both Hub and Edge roles. (Of course, you’ll also need to set up Active Directory—AD, the Global Catalog, and DNS—preferably on a different physical server than the Exchange server.) You’ll also need to be aware of several downsides of single-server deployment. First, in this setup, all Exchange 2007 roles on the server are available from—and exposed to—the Internet, which poses a security risk. (A firewall can mitigate this risk.) Second, having all roles on one Exchange 2007 server makes your server the single point of failure. Finally, because you’ll need to implement antispam and antivirus protection on the Hub Transport role, you should expect more load on the server’s resources. Assuming you’ve addressed these issues, your next step is to learn more about the roles you’ll need to configure for single-server Exchange 2007, then walk through the procedure for setting up those roles.
Role Differences in a Single-Server
Environment
When you configure Exchange 2007 on your
server, your first task will be to configure the
Edge Transport and Hub Transport roles
to handle only intra-organizational message
traffic. By default, the Hub Transport
server role cannot deliver messages to users
outside an Exchange organization, nor
can it receive messages from outside the
organization. Normally, a Hub Transport
server can communicate with other Hub
Transport servers in the same organization
as well as with Mailbox servers and
with the Edge Transport server. (For more
information about communication among
the server roles and how messages flow
between servers, see the sidebar “How Messages
Move in a Multiserver Exchange 2007
Environment.”)
To enable Exchange 2007 to run in a
single-server environment, then, you’ll need
to enable the Hub Transport server role to
essentially function as an Edge Transport
server since no Edge Transport server role is
installed. You’ll need to install the three essential
server roles—Mailbox, Client Access, and
Hub Transport—on the same machine. In
very small organizations, this server will probably
be a domain controller (DC) also. Since
the Hub Transport role by default isn’t configured
to work without the Edge Transport,
you’ll need to perform these tasks to enable
Hub Transport to do the work of an Edge
Transport server as well as perform its own
Hub Transport functions:
• Enable the Hub Transport role to send
messages directly to the Internet.
• Enable the Hub Transport role to receive
messages from the Internet.
• Install and enable antispam functionality
on the Hub Transport role.
In contrast to the special configuration you’ll need to do for the Hub Transport role, configuration of the Mailbox and Client Access server roles is almost the same as in a multiserver Exchange environment that includes an Edge Transport server. However, in a single-server Exchange 2007 environment, the Mailbox role is far more exposed to potential Internet attacks than in an environment with an Edge Transport server, where the Mailbox and Hub Transport servers aren’t directly connected to the Internet. In a single-server scenario, since the Mailbox server is located with the Hub Transport server (which is configured to work on the Internet) and Client Access server (which hosts Exchange Web services also available from the Internet), there are many more open ports to outside connections. Thus, I highly recommend you use a firewall capable of application-layer filtering. Microsoft ISA Server 2006 is the best choice in this case since it supports Exchange 2007 secure-server publishing. (You can learn more about securing Exchange 2007 with ISA Server in the Web-exclusive article “Securing Exchange Server 2007 Services with ISA Server 2006,” October 2007, InstantDoc ID 96957.) I also strongly recommend running Security Configuration Wizard (SCW) after you install Exchange 2007, to harden your Exchange server’s security. Remember to import the Exchange 2007 template to SCW before running the wizard. Now that you have a handle on the server-role differences, you’re ready to start the actual configuration. This article assumes that you’ve already installed Exchange 2007 on the server.
Configure Hub Transport to Send
Email to the Internet
To enable the Hub Transport server role to
send messages to the Internet, you’ll need
to configure the name-resolution service
and the SMTP Send connector. The Hub
Transport server role must be able to resolve
Internet DNS names based on the recipient’s
email address and locate the correct
destination SMTP server for message delivery.
To enable Internet message delivery,
you’ll have to create the Internet SMTP
connector on the Hub Transport server. The
Send connector represents a logical gateway
through which outbound messages are
sent. It controls outbound connections from
the internal sending server to the external
receiving server or destination email system.
By default, no explicit Send connectors are
created when the Hub Transport server role
is installed.
To create the SMTP connector, open Exchange Management Console (EMC), navigate to Organization Configuration, and open Hub Transport. Then click the Send Connectors tab, and in the Actions pane, click New Send Connector.
On the first screen, enter the SMTP connector name (e.g., send to internet) and in the Select the intended use for this connector drop-down list, select Internet. Click Next, and on the Address Space page, click Add. In the Domain field, enter an asterisk (*). By entering this, you’re essentially creating a connector that will send a message to any domain on the Internet. If you want to create a connector for a specific domain, instead of entering *, enter a domain name and the options for that domain.
Click Next, and on the Network tabbed page select an option for name resolution, as Figure 1 shows. The default option is to use DNS MX records to route email. This means that your Exchange server will use the destination domain name to query your locally configured DNS for the IP address of the destination mail server. After that, Exchange will look for the MX record in the destination zone to locate the mail server. At this point, you can also enable mutual authentication by Transport Layer Security (i.e., by selecting the Enable Domain Security… option) if you want to enable mail servers to authenticate to each other before starting communications. However, this option might not work with all Internet mail servers that your Exchange server communicates with, since not all mail servers support this feature.
The second option for name resolution is to route mail through a smart host server. This means that your Hub Transport server simply forwards every message to the specified smart host server (e.g., your ISP’s mail server), which will handle the entire message-delivery process. This is a suitable option when you don’t want to handle name resolution for messages locally (e.g., you don’t want to allow local DNS servers to access the Internet) and have an external mail server available to serve as your smart host. On this page you can also select the Use the External DNS Lookup settings on the transport server option, which lets you use a separate DNS server (or servers), only for sending messages. (To configure these DNS servers’ addresses, you’ll need to use the Set-TransportServer cmdlet.) Click next in EMC, add the source server (since we have only one server, this server is selected new connector. First, set the Fully Qualified Domain Name (FQDN) for the new connector and the protocol-logging level (None or Verbose), as Figure 2. The FQDN is actually the name that your server will use to present itself to other SMTP servers on the Internet; usually this is your mail server’s public FQDN. Next, open the Network tab. On the Network page, you can select the way your server authenticates to the smart host, if you configured one. If not, you’re done here.
Now your Hub Transport server can send messages both internally and to the Internet. At this point, you can try to send a message to someone outside your organization. You should be able to do so; however, you can’t receive messages yet. So, your next step is to configure the Hub Transport server so that it can receive Internet email.
Continue on Page 2
Configure Hub
Transport to
Receive Internet
Email
To enable the Hub
Transport server
to receive messages
from external
sources, your first
task is to configure
an accepted domain
for your Exchange
organization. An
accepted domain is
any SMTP domain
for which your
Exchange server
sends or receives
email. Accepted
domains include
those domains for
which the Exchange organization is authoritative
(i.e., the server handles mail delivery
for recipients in that domain) as well as
domains for which the Exchange organization
receives mail, then relays it to the
external mail server. You must configure
at least one accepted domain before you
can use that SMTP namespace in an email
address policy.
To configure the accepted domain, open EMC, navigate to Organization Configuration, open the Hub Transport node, and go to the Accepted Domains tab. Click New Accepted Domain in the Actions pane to start the wizard. On the first page, enter the domain’s name (this will probably be the name of your domain) and FQDN of the accepted domain. When you enter the accepted domain, you can use a wildcard character in the address space, to indicate that all subdomains of the SMTP address space are also accepted by the Exchange organization (e.g., *.microsoft.com will also accept all subdomains of Microsoft.com domain).
Next, select Authoritative Domain, which indicates that your server is responsible for mailboxes in that domain, and click New to create the new accepted domain. You can repeat this procedure for any domain that you want to accept messages for, but make sure that you configure MX records for these domains to point to your mail server.
Now you need to configure the Receive connector. The Hub Transport server has two default receive connectors, but both connectors require authentication. Because you want your Hub Transport server to accept messages directly from the Internet (not from the Edge Transport server), you’ll need to allow an anonymous connection. To do so, open the Server Configuration node, click Hub Transport, and in the middle pane right-click the Default ServerName connector and select Properties. Open the Permission Groups tab and click the Anonymous users check box. Leave the other check boxes as is. Click OK when you’re done.
Note that there’s one more Receive connector, the Client ServerName connector. That connector is configured to work on port 587 and is intended to be used by POP3 and IMAP4 clients for sending messages with TLS authentication. You can easily change this port number by editing the connector’s properties. Don’t allow anonymous connections on this connector.
Enable Antispam Functionality on
Hub Transport
Since you aren’t using an Edge Transport
server, you have to implement antispam protection
on the Hub Transport server role. By
default, antispam functionality isn’t installed
on the Hub Transport server; you’ll need to
use EMS commands to install it. To do so,
open EMS, navigate to the folder in which
you’ve installed Exchange Server (the default
path is C:\Program Files\Microsoft\Exchange
Server), then navigate to the Scripts subfolder. Now enter the following command:
Install-AntispamAgents.ps1This command adds antispam functionality to the Hub Transport server. Close EMC and reopen it, open the Organization Configuration node, and click Hub Transport, and you’ll notice a new Anti-spam tab. Click that tab, and you’ll see various features for anti-spam functionality, as Figure 3.
The first capability you should configure here is content filtering. Open the Content Filtering Properties page and click the Action tab. Here’s where you’ll configure actions for messages after they’re assigned a spam confidence level (SCL) value. Three actions are available: delete, reject, and quarantine. I suggest your initial configuration be to delete messages with an SCL of 9, reject messages with an SCL of 8, and quarantine messages with an SCL of 7. In this configuration, messages with an SCL of less than 7 will be delivered to user’s mailbox, as Figure 4. Since Exchange 2007’s built-in spam filter is intelligent and learns over time, after a while you’ll probably want to change those actions to values that better fit your needs.
On this page, you’ll also need to configure a spam mailbox—the mailbox that will hold all quarantined messages. It’s a good idea to create a mailbox solely for this purpose. The administrator should check this mailbox periodically and search for false positives—that is, quarantined messages that should be delivered to users.
Other options on Anti-spam tab let you configure IP allow and IP block lists, if you want to explicitly allow or block certain IP addresses from communicating with your mail server. You can also configure Exchange to receive allow and block lists from external service providers. Additionally, you can configure recipient and sender filtering and Sender ID and sender reputation options. Recipient filtering and sender filtering let you block a specific recipient or sender from receiving or sending messages. Sender ID seeks to verify that every email message originates from the Internet domain from which it claims to have been sent. This is accomplished by checking the address of the server sending the email against a registered list of servers that the domain owner has authorized to send mail. Sender reputation is an antispam functionality designed to block messages according to many sender characteristics. Sender reputation relies on persisted data about the sender to determine what action, if any, Exchange should take on an inbound message.
Ready for Email
Once you’ve verified that AD is working
correctly and all Exchange services are
functional, you’re ready to start using your
Exchange 2007 server to send and receive
email. As you’ve seen, installing Exchange
2007 on a single server is feasible if you
know what steps to perform and are aware
of the configuration differences in this
setup as compared with a more typical
multiserver Exchange 2007 environment.
Although a single-server Exchange 2007
solution can be cost-effective and fully
functional, the biggest concern about
this type of setup is security, since certain
resources, most notably the Mailbox role,
are exposed to the Internet. If you’re going
to set up a single-server Exchange solution,
I also recommend that you implement
more than one hard disk in your Exchange
server as well as configure local continuous
replication for high availability.