Managing the Edge Transport Server • Chapter 7 467 domain, not from a third-party vendor. Another purpose of the address rewrite agent could be to enable routing of inbound e-mail messages from outside the Exchange 2007 organization to the internal recipients. The address rewrite agent rewrites e-mail addresses by rewriting the SMTP headers in the e-mail messages, which fl ow in and out of the Edge Transport server. You can enable address rewriting on both inbound as well as outbound messages. The typical reason that you want to enable address rewriting on outbound messages is because you have multiple internal domains (for example, one root domain with multiple subdomains). With the address rewrite agent, you could then rewrite the SMTP header so that all outbound messages appear to come from the same domain instead of domain.com, subdomain1.domain.com, subdomain2.domain.com, and so on. A reason that you would want to enable address rewriting on inbound messages could be because inbound e-mail messages would need to be routed to the intended recipients. To create a new address rewriting entry on an edge transport server, you fi rst need to make sure that either the address rewriting inbound agent and/or the address rewriting outbound agent is enabled. This should be the case on a newly installed edge transport server installation, but it’s always a good idea to verify that this is the case. You can see whether these agents are enabled or disabled by opening the EMS and typing Get-TransportAgent (see Figure 7.67). Figure 7.67 Checking Whether the Address Rewriting Agent Is Enabled If the respective agent(s) are set to True, it means that the agent(s) is enabled. If the required agent is disabled (set to False), you will need to enable it by typing Enable-TransportAgent -Identity “Address Rewriting Inbound Agent” and/or Enable-TransportAgent -Identity “Address Rewriting Outbound Agent” depending on which agent you’ll confi gure. For the purpose of this book, we’ll only rewrite the headers for a single SMTP address and then a single SMTP domain, but this should give you an idea how the address rewrite agent works. To create a new address rewriting entry for a single SMTP address, you need to use the New-AddressRewriteEntry CMDlet. For example, say that you want to rewrite the SMTP address henrik@exchangedogfood.dk to henrik@exchange-faq.dk. To do so you would need to create an 468 Chapter 7 • Managing the Edge Transport Server AddressRewriteEntry using the following command: New-AddressRewriteEntry -Name “Address rewrite entry for henrik@exchangedogfood.dk” -InternalAddress henrik@exchangedogfood.dk -ExternalAddress henrik@exchange-faq.dk followed by pressing Enter. If you wanted to create a new address rewriting entry for a single SMTP domain, you would need to use the following command: New-AddressRewriteEntry -Name “Address rewrite entry for Exchangedogfood.dk” -InternalAddress exchangedogfood.dk -ExternalAddress exchange-faq.dk followed by pressing Enter. To read additional information about the address rewrite agent, consult the Exchange Server 2007 Help fi le. Monitoring the Edge Transport Server As is also the case with any of the other Exchange 2007 Server roles, you should make sure that you’re always up to date with best practices relating to the Edge Transport server. We recommend that you run the Exchange Best Practices Analyzer tool on the box on a regular basis. In addition, you should monitor the server using Microsoft Operations Manager (MOM) 2005 or a similar product so that you can react proactively to any events or alerts generated by the Edge Transport server. MOM 2005 has its own Exchange Server 2007 Management Pack, which makes it possible to monitor activity such as messages per SCL level, total messages sent to quarantine, and rejected and/or deleted messages. You can also generate MOM reports showing you things such as hit rate for block lists, top spam-sending domain, top spam-sending IP address, and top targeted domain or individual recipient. All reports can, of course, be seen on a per-server basis. Managing the Edge Transport Server • Chapter 7 469 Summary In this chapter we focused on the Edge Transport server role included in the Exchange Server 2007 product. We went over the requirements of the server role as well as step-by-step instructions on how you deploy one or more edge transport server(s) in your perimeter network (DMZ or screened subnet). We then had a look at the available antispam fi ltering agents as well as how they are confi gured. Then we discussed how you properly secure an Edge Transport server using the Security Confi guration Wizard (SCW). Lastly, we had a look at the transport rules agent and as well as the address rewriting feature, and we briefl y discussed how you can and why you should monitor an edge transport server using a monitoring solution such as Microsoft Operations Manager (MOM) 2005. Solutions Fast Track Deploying the Edge Transport Server Role ˛ Remember that the Edge Transport server role should be isolated in the perimeter network (also called a DMZ or screened subnet), away from your Active Directory. The server role should therefore be installed in a workgroup on a standalone server. ˛ It’s highly recommend that you install two network adapters in the server on which you’re planning to install the Edge Transport server. One network adapter should be Internet facing; the other should be intranet facing. This way you can secure the Send and Receive connectors much more effi ciently than would be the case with only a single network adapter. ˛ If your organization consists of multiple forests and you want to use the EdgeSync service in each of them, you must replicate all recipient addresses to one forest and then set up an edge subscription to that forest, because the EdgeSync service supports replication with only one forest at a time. Enabling Name Resolution Lookups between the Edge Transport and Hub Transport Servers Suffi x ˛ Bear in mind that to use several of the antispam features, you must use an edge subscription. This way, confi guration as well as recipient data are replicated from Active Directory to the ADAM store using the EdgeSync service. It is possible to not use an EdgeSync subscription, but you will then not be able to use several of the antispam features on the Edge Transport server. In addition, you need to create all Send and Receive connectors manually. ˛ If you’re a small shop and cannot afford to have an additional Exchange 2007 server with the Edge Transport server role deployed in your DMZ, but you still want to take advantage of the antispam fi ltering agents to fi lter out spam in your organization, you’re in luck, because you have the option of installing the antispam fi ltering agents on an Exchange 2007 server with the Hub Transport server role installed. To do so you need to run the install-AntiSpamAgents.ps1 script located in the Exchange scripts folder (by default, located under C:\Program Files\Microsoft\Exchange Server) on the hub transport server. 470 Chapter 7 • Managing the Edge Transport Server ˛ Since Microsoft played an important role in the invention of the Sender ID e-mail authentication technology, it’s not surprising that Sender ID is supported in Exchange 2007, but some are wondering whether the DomainKeys e-mail authentication technology (which was invented by Yahoo, DomainKeys and Cisco) is supported in Exchange 2007. The answer is unfortunately not, but who knows—maybe they will implement DomainKeys support in a future service pack. Installing the ADAM Component ˛ When you deploy an Edge Transport server in your perimeter network (DMZ or screened subnet), it’s very important that you secure it properly. The best way to lock it down is to use the Security Confi guration Wizard (SCW). ˛ One of the great things about using a one-way replication method from Active Directory to the Edge Transport server is that you only need to open one single inbound port in your intranet fi rewall, which is port 25 (SMTP). The respective LDAP port only needs to be allowed outbound. Verifying That the EdgeSync Service Works as Expected ˛ An important step in deploying an Edge Transport server in your DMZ is to change your MX records so that they point at the new Edge Transport server. If you don’t host your own public DNS server, this is typically done on the public DNS server at your ISP. If, for example, you’re using an ISA server to forward SMTP traffi c to a server in your DMZ, you simply need to change the respective rule so that it points to your Edge Transport server instead. ˛ You can see information about your MX records by using NSLookup, as shown in this chapter, but there are also several nice Web-based tools that can help you retrieve your MX records (and many other such things). Some of the best are dnsstuff.com and checkdns.net. Manually Confi guring the Required Connectors ˛ Unlike the other Exchange 2007 Server roles, the Edge Transport server role uses Active Directory Application Mode (ADAM) to store confi guration data. For this reason, you cannot recover an Edge Transport server using the setup /m:recoverserver switch as is the case with the other server roles in your organization. However, you can back up an Edge Transport server using the ExportEdgeConfi g.ps1 script contained in the Exchange scripts folder, which by default is located under C:\Program Files\Microsoft\Exchange Server. To recover or clone an Edge Transport server, you can use the ImportEdgeConfi g.ps1 contained in the same folder. ˛ When you have multiple Edge Transport servers deployed in the perimeter network, you can network and load-balance network traffi c among the servers using Domain Name System (DNS) round robin mechanism. Managing the Edge Transport Server • Chapter 7 471 Pointing Your MX Records to the Edge Transport Server ˛ Part of the new E-mail Policy and Compliance feature set, in Exchange Server 2007, is the Edge Transport Rules agent, which is used to establish and enforce regulatory or corporate policies on e-mail messages sent to or received from the Internet. Just as with the Hub Transport server, the transport rules agent on the Edge Transport server is capable of applying transport rules to messages fl owing into and out of the organization, but although the Transport Rules agent looks very similar for both types of server roles, don’t let it fool you. Although both server roles have a transport rules agent, several of the actions that are available for each server role are different. ˛ Unlike the Hub Transport server, the Edge Transport server only allows you to specify an array of SMTP addresses. This is because the Edge Transport server doesn’t have access to Active Directory, as does the Hub Transport server, on which you can specify an array of Active Directory mailboxes, contacts, mail-enabled users, and distribution group objects. The Address Rewrite Agent ˛ If your organization consists of multiple domains (for example, after a merger or acquisition), you can use the address rewrite agent to provide a single consistent SMTP domain to the Internet. ˛ Address rewriting can also be used to allow third-party vendors to provide support or other e-mail-based services using your SMTP domain. Because your customers and partners expect e-mail to come from your organization, this makes sense. Deploying Multiple Edge Transport Servers in the Organization ˛ If you use Microsoft Operations Manager (MOM) 2005 as the monitoring solution in your organization, you should install the Exchange 2007 MOM Management Pack and confi gure it to monitor the Edge Transport server(s) in your DMZ too. The Exchange 2007 MOM Management Pack can monitor your Edge Transport servers proactively as well as provide a wealth of reporting options, such as monitoring activity related to messages per SCL level, total messages sent to quarantine, and rejected and/or deleted messages. You can also generate MOM reports showing you things such as hit rate for block lists, top spam-sending domain, top spam-sending IP address, and top targeted domain or individual recipient. All reports can, of course, be seen on a per-server basis. . quarantine, and rejected and/ or deleted messages. You can also generate MOM reports showing you things such as hit rate for block lists, top spam-sending domain, top spam-sending IP address, and top. (SCW). Lastly, we had a look at the transport rules agent and as well as the address rewriting feature, and we briefl y discussed how you can and why you should monitor an edge transport server using. quarantine, and rejected and/ or deleted messages. You can also generate MOM reports showing you things such as hit rate for block lists, top spam-sending domain, top spam-sending IP address, and top