The DMZ is a network segment where security considerations dominate the choice of what gets installed. Exchange 2007 is considered by many to be the first DMZ friendly release. Today we start installing an Exchange 2007 Edge server and look at what makes Edge a good DMZ citizen.
Despite the success in conquering internal corporate networks, earlier Exchange versions failed to replicate the same success at the DMZ. One reason for this was the Exchange server installation requirements that included IIS and Active Directory. These are often considered too cumbersome for hosts running internet facing services.
Splitting functionality into distinct roles, allowed Exchange 2007 to provide the first DMZ friendly solution. The Edge server role was thus born, an SMTP transport where email hygiene applications filter emails before allowing entry and exit to/from the internal network.
Today we walk through the installation of an Exchange Edge server. We also configure this to connect to the Exchange servers running internally.
Network Layout
We start our walk with a look at the network layout. A typical DMZ is shown below. Internet originating email is received by the Edge server. If accepted this is relayed to the internal Exchange Hub transport. In case of outgoing email, the Hub transport uses the Edge server as a smart host.
The separation between DMZ and internal network limits the type of traffic between the two segments. In this setup, the Edge server machine cannot be a member of the internal domain. Furthermore the Edge is expected to only provide essential services so as to limit exposure to potential security attacks. These limitations are catered for by the Edge server installation requirements. In fact we will be installing Edge on a standalone Windows 2003 Server. Of course it is also possible to install this on Windows 2008. I will be highlighting some differences between to two platforms as we go along.
For the purposes of this article, the internal network is already up and running. The internal domain name is exchinbox.local. An Exchange Hub transport server is also in place accepting emails for the domain adminstop.com.
Edge Installation Requirements
We start the Edge installation from a standalone Windows 2003 SP2 server. To satisfy the basic Exchange 2007 requirements we install the .NET Framework 2.0, MMC and PowerShell. With these bits out of the way, we look at some requirements specific to the Edge role.
First we have to configure the DNS Suffix for the Edge machine:
-
Open the properties for 'My Computer'
-
Select the Computer Name page and click Change
-
Click More
-
Enter the DNS name of the internal domain. In our case exchinbox.local
Finally we restart the machine
Next we have to make up for the lack of Active Directory services. Cutting the Edge server from the internal Active Directory is desirable from an isolation perspective. However AD also serves as the Exchange 2007 configuration repository. Thus a replacement that allows Edge to store its configuration is obviously required.
Thus on Windows 2003 we install the Active Directory Application Mode ADAM service. Just like Active Directory this is an LDAP directory service. However this will only be used to store information relevant to Exchange.
We download ADAM SP1 from the Microsoft download center. The Service Pack includes all the bits and can be installed directly on a machine where ADAM was never installed.
There is nothing worthy of note regarding the installation of ADAM. It is just a matter of clicking Next, 'I Agree' and Finish.
Note: ADAM is included with Windows 2003 R2. In this case use the Optional Component Manager to complete this installation.
Note: If we were installing Edge on Windows 2008 instead of ADAM we would install Active Directory Lightweight Directory Services (AD LDS).
Installing the Edge Server Role
We now satisfied the installation requirements. Using the Microsoft Update Service we make sure we also have all the latest updates. Finally we are ready to install the Edge Server role.
The usual Exchange 2007 installation Wizard greets us. Here we choose the Custom Exchange Server Installation option since Edge is not part of the typical installation.
At the Role selection step we select the Exchange Server Role.
Note how on selecting the Edge role all other roles are grayed. Edge has to be installed on its own. All other roles are intended to run within the internal network. We should now be able to complete the installation as usual.
Looking at ADAM
As already discussed, in this setup ADAM is acting as the configuration repository for the Edge server. ADAM is really a sibling of Active Directory. Thus tools that we usually use against Active Directory are also available for ADAM. Let's use ADSI Edit to take a look at what ADAM is storing.
-
Start MMC: Run | mmc.exe
-
Open, File | Add/Remove Snap-in | Add | ADAM ADSI Edit
Add the Snap-In and click OK to close the Add/Remove Snap-in dialog
-
Now right-click the ADAM ADSI Edit node and select 'Connect To...'
-
At the Connections Settings Dialog change the port to 50389. This is the default port ADAM listens to.
-
Hit OK to connect and we are ready to browse the directory. Here is the all too familiar Exchange Administrative Group object...
Final Tips
Today we started the deployment of an Exchange 2007 Edge server. We looked briefly at the general characteristics of the DMZ, the network segment to home our installation.
Next we looked at the installation requirements. These contribute greatly in making the Exchange 2007 Edge server role DMZ friendly. The requirements include ADAM. This fills up the void left by the lack of the Active Directory service, providing storage for the Edge server configuration. Once all requirements were satisfied, installing Edge was just a matter of selecting the custom installation type and the Edge server role.
In the next part of this article we will proceed with the configuration and connection of the Edge server to the Exchange servers running internally.
Part 2: Installing, Configuring Exchange 2007 Edge Server (Part 2)
Source: http://www.exchangeinbox.com/article.aspx?i=131
You just mentioned an Edge cannot be part of the internal domain. The internal domain name is exchinbox.local. How can the Edge have the same DNS suffix. What is adminstop.com?
ReplyDelete