Executive Summary:
Microsoft Exchange Server 2007 is designed to work on at least two physical servers. However, if you have a small Exchange Server environment and can’t afford to manage more than one server, you can set up Exchange Server 2007 on just one physical server. To do so, you’ll need to make some configuration changes that enable the Hub Transport server role to handle Internet email. It’s also highly advisable to add a firewall to protect the Mailbox role from security threats. |
Microsoft Exchange Server 2007 is geared toward
deployment in multiserver environments. By
default, it’s designed to work with at least two
physical servers: one for the Edge Transport
server role, the other for the remaining roles
(Hub Transport, Mailbox, Client Access, and
Unified Messaging). Although Microsoft highly recommends using
Exchange 2007 with at least two physical servers, in certain scenarios
you’d want to install and run Exchange 2007 on one machine. For
example, a small business might not be able to afford dedicating
more than one server to running Exchange.
The good news is, Exchange 2007 can work in a single-server
deployment scenario, but to make this happen, you need to perform
several configuration steps. To deploy Exchange 2007 in a singleserver
environment, you must install three crucial server roles (Hub
Transport, Client Access, and Mailbox) on one machine, without
installing the Edge Transport role at all. Instead, you need to configure
the Hub Transport role to perform the job for both Hub and Edge
roles. (Of course, you’ll also need to set up Active Directory—AD, the
Global Catalog, and DNS—preferably on a different physical server
than the Exchange server.) You’ll also need to be aware of several
downsides of single-server deployment. First, in this setup, all Exchange 2007 roles on the server are available
from—and exposed to—the Internet,
which poses a security risk. (A firewall can
mitigate this risk.) Second, having all roles
on one Exchange 2007 server makes your
server the single point of failure. Finally,
because you’ll need to implement antispam
and antivirus protection on the Hub
Transport role, you should expect more load
on the server’s resources. Assuming you’ve
addressed these issues, your next step is to
learn more about the roles you’ll need to
configure for single-server Exchange 2007,
then walk through the procedure for setting
up those roles.
Role Differences in a Single-Server
Environment
When you configure Exchange 2007 on your
server, your first task will be to configure the
Edge Transport and Hub Transport roles
to handle only intra-organizational message
traffic. By default, the Hub Transport
server role cannot deliver messages to users
outside an Exchange organization, nor
can it receive messages from outside the
organization. Normally, a Hub Transport
server can communicate with other Hub
Transport servers in the same organization
as well as with Mailbox servers and
with the Edge Transport server. (For more
information about communication among
the server roles and how messages flow
between servers, see the sidebar “How Messages
Move in a Multiserver Exchange 2007
Environment.”)
To enable Exchange 2007 to run in a
single-server environment, then, you’ll need
to enable the Hub Transport server role to
essentially function as an Edge Transport
server since no Edge Transport server role is
installed. You’ll need to install the three essential
server roles—Mailbox, Client Access, and
Hub Transport—on the same machine. In
very small organizations, this server will probably
be a domain controller (DC) also. Since
the Hub Transport role by default isn’t configured
to work without the Edge Transport,
you’ll need to perform these tasks to enable
Hub Transport to do the work of an Edge
Transport server as well as perform its own
Hub Transport functions:
• Enable the Hub Transport role to send
messages directly to the Internet.
• Enable the Hub Transport role to receive
messages from the Internet.
• Install and enable antispam functionality
on the Hub Transport role.
In contrast to the special configuration
you’ll need to do for the Hub Transport
role, configuration of the Mailbox and Client
Access server roles is almost the same
as in a multiserver Exchange environment
that includes an Edge Transport server.
However, in a single-server Exchange 2007
environment, the Mailbox role is far more
exposed to potential Internet attacks than
in an environment with an Edge Transport
server, where the Mailbox and Hub Transport
servers aren’t directly connected to
the Internet. In a single-server scenario,
since the Mailbox server is located with the
Hub Transport server (which is configured
to work on the Internet) and Client Access
server (which hosts Exchange Web services
also available from the Internet), there are
many more open ports to outside connections.
Thus, I highly recommend you use a
firewall capable of application-layer filtering.
Microsoft ISA Server 2006 is the best choice
in this case since it supports Exchange
2007 secure-server publishing. (You can
learn more about securing Exchange
2007 with ISA Server in the Web-exclusive
article “Securing Exchange Server 2007
Services with ISA Server 2006,” October
2007, InstantDoc ID 96957.) I also strongly
recommend running Security Configuration
Wizard (SCW) after you install Exchange
2007, to harden your Exchange server’s
security. Remember to import the Exchange
2007 template to SCW before running the
wizard. Now that you have a handle on the server-role differences, you’re ready
to start the actual configuration. This article
assumes that you’ve already installed
Exchange 2007 on the server.
Configure Hub Transport to Send
Email to the Internet
To enable the Hub Transport server role to
send messages to the Internet, you’ll need
to configure the name-resolution service
and the SMTP Send connector. The Hub
Transport server role must be able to resolve
Internet DNS names based on the recipient’s
email address and locate the correct
destination SMTP server for message delivery.
To enable Internet message delivery,
you’ll have to create the Internet SMTP
connector on the Hub Transport server. The
Send connector represents a logical gateway
through which outbound messages are
sent. It controls outbound connections from
the internal sending server to the external
receiving server or destination email system.
By default, no explicit Send connectors are
created when the Hub Transport server role
is installed.
To create the SMTP connector, open
Exchange Management Console (EMC),
navigate to Organization Configuration, and
open Hub Transport. Then click the Send
Connectors tab, and in the Actions pane,
click New Send
Connector.
On the first
screen, enter the
SMTP connector
name (e.g., send to
internet) and in the
Select the intended
use for this connector
drop-down list,
select Internet. Click
Next, and on the
Address Space page,
click Add. In the
Domain field, enter
an asterisk (*). By
entering this, you’re
essentially creating
a connector that
will send a message to any domain on the
Internet. If you want to create a connector
for a specific domain, instead of entering *,
enter a domain name and the options for
that domain.
Click Next, and on the Network tabbed
page select an option for name resolution,
as Figure 1 shows.
The default option
is to use DNS MX
records to route
email. This means
that your Exchange
server will use the
destination domain
name to query
your locally configured
DNS for the
IP address of the
destination mail
server. After that,
Exchange will look
for the MX record
in the destination
zone to locate the
mail server. At
this point, you can also enable mutual
authentication by Transport Layer Security
(i.e., by selecting the Enable Domain
Security… option) if you want to enable
mail servers to authenticate to each other
before starting communications. However,
this option might not work with all Internet
mail servers that your Exchange server communicates
with, since not all mail servers
support this feature.
The second option for name resolution
is to route mail through a smart host
server. This means that your Hub Transport
server simply forwards every message to the
specified smart host server (e.g., your ISP’s
mail server), which will handle the entire
message-delivery process. This is a suitable
option when you don’t want to handle
name resolution for messages locally (e.g.,
you don’t want to allow local DNS servers
to access the Internet) and have an external
mail server available to serve as your smart
host. On this page you can also select the
Use the External DNS Lookup settings on
the transport server option, which lets you
use a separate DNS server (or servers), only
for sending messages. (To configure these
DNS servers’ addresses, you’ll need to use
the Set-TransportServer cmdlet.) Click next
in EMC, add the source server (since we
have only one server, this server is selected new connector. First, set the Fully Qualified
Domain Name (FQDN) for the new connector
and the protocol-logging level (None
or Verbose), as Figure 2. The
FQDN is actually the name that your server
will use to present itself to other SMTP servers
on the Internet; usually this is your mail
server’s public FQDN. Next, open the Network
tab. On the Network page, you can select
the way your server authenticates to the smart
host, if you configured one. If not, you’re done
here.
Now your Hub Transport server can
send messages both internally and to the
Internet. At this point, you can try to send a
message to someone outside your organization.
You should be able to do so; however,
you can’t receive messages yet. So, your next
step is to configure the Hub Transport server
so that it can receive Internet email.
Continue on Page 2
Previous
Register
