In Exchange 5.5, Microsoft has enhanced address-space restrictions, a feature that gives systems administrators more control over users' access to connectors. Although some of this feature's functionality was available in earlier versions of Exchange, administrators now can configure address-space restrictions from the Exchange Administrator user interface.
Address Spaces
All connectors have a unique address type that identifies a certain type or group of recipients (e.g., SMTP). The address type combined with a value for the address (usually an asterisk, which lets you use this connector to send to any valid address for the type) becomes an address space. Collectively, address spaces make up the Gateway Address Routing Table (GWART).
For example, after you install the Internet Mail Service (IMS), Exchange enters an address space of SMTP;* and the name of the server where you installed the connection into the GWART. When a recipient sends an SMTP message, the Exchange Message Transfer Agent (MTA) uses the GWART to identify which servers in the organization support an SMTP address type and forwards the message to one of those servers.
By default, Exchange replicates all connector address spaces entered into the GWART to all servers in the organization. But beginning with Exchange 4.0 Service Pack 4 (SP4), you can control address-space replication. Using address-space restrictions, you can specify which sites and servers can communicate with an address space. You can restrict address-space replication to a site or to a server location within a site.
Location Restriction
You configure server locations by editing the General property sheet on each server, as Screen 1, on page 14, shows. After you set a location on one server within the site, other servers can join the location by choosing this location from the list. The default server location is <none> (a null location); other possible values are a named location (such as NorthWest in Screen 1) or an asterisk (*), which signifies membership in all other locations in the site, including the default <none> location. A server with a * location has access to all connectors in the site.
You configure address-space restrictions by adding or editing an address space on the Address Space property sheet of a connector and then selecting the Restrictions property sheet, as Screen 2 shows. Exchange offers three options--Organization, This Site, and This Location--for address-space restrictions. If you choose Organization (the default), Exchange will replicate the address space to all servers in the organization with no restrictions.
With the This Site restriction, Exchange replicates address spaces only to servers within the same site. In Exchange 4.0 SP4 and in Exchange 5.0, you can configure the site functionality on the Address Space tab of the connector's property sheet by specifying LOCAL as the address type and then specifying the connector address type as part of the address value. For example, type=LOCAL, Address=SMTP;* effectively creates an SMTP address space that is local to the site.
When you restrict replication to This Location, only servers in the site with the same named location and servers with the * location can receive the replicated address type in their local directory GWART. In Screen 1, Exchange has specified a Server location of NorthWest; if the administrator sets the address-space restriction on a connector on CADDIS to This Location, Exchange will limit replication to other servers in the NorthWest and * server locations within that site.
Figure 1 summarizes how server locations and location restrictions work when the address type is SMTP and its connector address-space restriction is This Location. Site A shows a server with a <none> default server location, which is equivalent to the This Site restriction. In this case, the other two servers in the site have access to the SMTP address type.
Site B has a server with a * location, which also is equivalent to a This Site restriction. Again, the other two servers have access to the SMTP address type. In Site C, a server with a named server location of NorthWest has the connector. In this case, the only other server in the site that has access to the SMTP address type is the server in the * location, because it is a member of all locations. Note that any other servers that are members of the NorthWest and * server locations of this site also have access to the SMTP address type.
A Typical Configuration
Two examples illustrate address-space restrictions. Exchange administrator A's company has two business units, each with its own Exchange site, and the company wants to restrict use of its fax connectors to recipients in the local site. To restrict usage, A must change the address-space restriction to This Site for each server, which prevents Exchange from replicating the respective address spaces to the other Exchange site and lets only local recipients use the local fax connector.
In Exchange administrator B's company, one Exchange site includes servers in Europe and North America. B wants to install a fax connector in Europe and another fax connector in North America and limit use of the connectors to users in their respective continents. First, B needs to create a server location for Europe and another for North America. Then B must change the address-space restriction to This Location on each fax connector server, which prevents Exchange from replicating the respective address spaces from Europe's servers to North America's servers, and vice versa.
An Interesting Twist
The situation in the second example is relatively straightforward. But suppose B also has a separate Exchange site in Iceland that has an X.400 connection to a server in the North America location. Further, the Iceland unit has several Exchange servers for a research team and one server for management. The personnel who use the Management server require fax capability, but they want to use the fax connector already installed in the North America server location. The administrators in the North America server location go along with the Iceland personnel's wishes, but specify that the Iceland site limit the fax capability to users of the Management Exchange server.
For this configuration, B must first create a Management server location on the management Exchange server in the Iceland unit. B then must edit the Address Space property sheet of the X.400 connector on the Management server and add a second address space for the fax connector (the original X.400 address space is already there) with an address space restriction of This Location. The location restriction prevents Exchange from replicating the new address space for the fax connector to the other Exchange servers in the Iceland site, because the other servers are not part of the Management server location.
Now, users on the Management server can address fax recipients by using the address type (e.g., fax) that matches the fax connector. The Exchange MTA will forward these messages through the X.400 connector to the server in the North America server location. The Exchange MTA on the North America X.400 bridgehead server will see that the message is addressed to a mailbox whose address matches the fax connector's and forward the message to the fax connector server.
This arrangement works because by adding the additional address space for the fax connector onto the local X.400 connector on the Management server, B lets the local MTA know to forward through the connector to the remote site any messages addressed to the fax connector address space. As long as the server in the remote site also understands the address space, the remote server will forward the message to the correct server, based on information in the GWART. The Management server's GWART contains no information about the fax connector; the GWART knows only that the local X.400 connector supports an additional address space that matches the remote site's fax connector.
Fine-Tuning Exchange
Address-space restrictions give administrators a tool for fine-tuning Exchange implementations. Use these restrictions to configure your Exchange organization the way you want it.
