312 Chapter 5 • Managing the Client Access Server Frequently Asked Questions Q: Can the CAS be used to proxy requests to Exchange 2000 or 2003 back-end servers? A: Yes, the CAS is capable of proxying requests to both Exchange 2000 and 2003 back-end servers. Q: If I deploy a CAS in my legacy Exchange organization, will I get the OWA 2007 UI when logging on to OWA? A: No. As is also the case with previous versions of Exchange, you will always get the UI of the back-end server. So, in this case you’ll get the OWA 2003 UI. Q: How can I confi gure the /owa virtual directory using the Exchange Management Shell? A: You can use the Set-OwaVirtualDirectory cmdlet to confi gure OWA-related settings via the Exchange Management Shell. For example, in order to enable forms-based authentication for the /owa virtual directory, you would need to run the following command: Set-OwaVirtualDirectory -Identity “owa (default Web site)” -FormsAuthentication:$true. For more information about available parameters, type Get-Help Set-OwaVirtualDirectory in the Exchange Management Shell. Q: I’ve noticed an SSL certifi cate is installed on the Default Web Site, by default. Would you recommend I replace it? A: Yes, if you plan on using all of the Mobile Exchange 2007 features, OWA, ActiveSync, and Outlook Anywhere since they require the subject alternative name in the SSL cert to match what is confi gured on the client for accessibility from the Internet. Q: Can I assign an Exchange 2007 ActiveSync Mailbox Policy to a legacy (Exchange 2000 or 2003) Exchange mailbox? A: No. You can only assign Exchange 2007 ActiveSync Mailbox policies to mailboxes stored on Exchange 2007 Mailbox Servers. Q: Does CAS support clustering? A: No, only Exchange 2007 Mailbox servers can be clustered (using Single Copy Cluster or Cluster Continuous Replication), but you can use NLB to load balance CAS roles—either using Windows NLB or some sort of hardware solution. Q: Where does the UI rendering for OWA 2007 take place? A: Unlike OWA 2003, which did all the UI rendering on the back-end server, OWA 2007 now does all the UI rendering on the CAS and thereby signifi cantly reduces the load on the Mailbox server. Managing the Client Access Server • Chapter 5 313 Q: I can’t seem to fi nd the place where you manage the POP3 and IMAP4 services in the Exchange Management Console? A: That is because there is no UI for these services. You must confi gure these two services using the Exchange Management Shell since the Exchange Product group didn’t add management tasks for the services to the EMC. Expect these services to be added to the UI in Exchange 2007 Service Pack 1. This page intentionally left blank 315 Chapter 6 Solutions in this chapter: ■ Message Transport and Routing Architecture in Exchange 2007 ■ Managing the Hub Transport Server ■ Managing Message Size and Recipient Limits ■ Message Tracking with Exchange Server 2007 ■ Using the Exchange 2007 Queue Viewer ■ Introduction to the Exchange Mail Flow Troubleshooter Tool ■ Confi guring the Hub Transport Server as an Internet-facing Transport Server ˛ Summary ˛ Solutions Fast Track ˛ Frequently Asked Questions Managing the Hub Transport Server Role 316 Chapter 6 • Managing the Hub Transport Server Role Introduction The Exchange 2007 Hub Transport server role should be installed on a domain-member server, and should always be deployed on your internal network, not in the perimeter network as some might. The Hub Transport server replaces the bridgehead server we know from Exchange 2000 and 2003, and therefore takes care of all the internal mail fl ow in the organization. All internal messages will pass through the Hub Transport server, even if the sender and recipient mailbox are located in the same AD site—heck, even if they’re on the same Mailbox server! In addition to being responsible for all mail fl ow inside the organization, the Hub Transport server has a set of transport agents that lets us confi gure rules and settings that can then be applied as messages pass through the server. The Hub Transport server also allows us to create messaging policies and rule settings that match the specifi c regulations and compliance requirements in the organization. Since the Hub Transport server typically sends and receives Internet messages through an Edge Transport server in the perimeter network, it doesn’t have any anti-spam agents installed, and doesn’t allow inbound messages from unauthenticated (untrusted) e-mail servers on the Internet—at least not in its default state. Since not all organizations can, nor will, deploy an Edge Transport server in their perimeter network, I’ll show you how you can confi gure the Hub Transport server to be the Internet-facing transport server in your organization. Message Transport and Routing Architecture in Exchange 2007 A lot has changed in regards to transport and routing architecture in Exchange Server 2007. First, Exchange no longer uses the SMTP protocol stack included with Internet Information Services (IIS), as was the case with previous versions of the product. Instead, the Exchange Product group has rewritten the SMTP transport stack in managed code, resulting in a much more stable and secure protocol stack. For example, the new transport stack runs as the Network Service account and uses several new mechanisms that reduce the risks associated with Denial-of-Service attacks and other security issues. The new SMTP transport stack is now known as the Microsoft Exchange Transport service (MSExchangeTransport.exe), and because it’s no longer dependent on IIS, it is not located within the IIS Manager anymore. As a matter of fact, you don’t even install IIS on the Hub Transport server unless it’s combined with the Mailbox or Client Access server role on the same hardware. You no longer need to set up routing group connectors between routing groups in the Exchange organization when you design your Exchange topology, as there is no such functionality built into the Exchange 2007 product. “Why has this fl exible way of routing messages throughout an Exchange organization been removed?” I hear some of you grumble. Well, routing groups actually have several drawbacks, including long stretches of time where two servers disagree about a connection state, possibly causing routing loops. Another drawback is that when tracking a message, it can be quite confusing when trying to determine why a message took a given route at a given point in time, because the link state table for the Exchange topology was never persistent or logged. Lastly, the routing groups and routing group connector concept forced Exchange administrators to re-create and mimic the underlying network, which can be quite a time-consuming and even redundant task. . Lastly, the routing groups and routing group connector concept forced Exchange administrators to re-create and mimic the underlying network, which can be quite a time-consuming and even redundant task. . 6 Solutions in this chapter: ■ Message Transport and Routing Architecture in Exchange 2007 ■ Managing the Hub Transport Server ■ Managing Message Size and Recipient Limits ■ Message Tracking with. server, and should always be deployed on your internal network, not in the perimeter network as some might. The Hub Transport server replaces the bridgehead server we know from Exchange 2000 and