Lesson 2: Setting Up Message Routing Chapter 7 341 Depending on the certicates that already exist in Active Directory, you may need to conrm this command. Figure 7-26 shows the command output. FIGURE 7-26 Creating a certificate with a specified subject name Generating a Certicate Request You can use the New-ExchangeCerticate EMS cmdlet to generate a certicate request and output it to the command-line console. You can send the certicate request to a CA within your organization, a trusted CA outside your organization, or a commercial CA by pasting the certicate request output into an email message or into the appropriate eld on the CA’s certicate request web page. You can also save the certicate request to a text le. The following EMS command generates a certicate request with a subject name c=UK, o=Blue Sky Airlines, cn=mail.blueskyairlines.co.uk, a subject alternate name blueskyairlines. co.uk, and an exportable private key: New-ExchangeCertificate -GenerateRequest -SubjectName "c=UK,o=Blue Sky Airlines,cn=mail .blueskyairlines.co.uk" -DomainName blueskyairlines.co.uk -PrivateKeyExportable $true Figure 7-27 shows this certicate request. FIGURE 7-27 Generating a certificate request 342 Chapter 7 Routing and Transport Rules As Figure 7-27 demonstrates, the certicate request is lengthy and complex, and it is advisable to automate storing this request in a request le. You can store the output of the command to generate a certicate request in a variable and use the Set-Content PowerShell cmdlet to generate a request le. The following two commands create the same certicate request as before and then save it in the le CertRequest01.req in the C:\Requests folder: $Request = New-ExchangeCertificate -GenerateRequest -SubjectName "c=UK,o=Blue Sky Airlines,cn=mail.blueskyairlines.co.uk" -DomainName blueskyairlines.co.uk -PrivateKeyExportable $true Set-Content -Path "C:\Requests\CertRequest01.req" -Value $Request MORE INFO NEW-EXCHANGECERTIFICATE AND GET-EXCHANGECERTIFICATE For more information about the New-ExchangeCerticate EMS cmdlet, see http://technet .microsoft.com/en-us/library/aa998327.aspx. For more information about the Get-ExchangeCerticate EMS cmdlet, see http://technet.microsoft.com/en-us/library/ bb124950.aspx. Lesson Summary n You can use Exchange costs on IP site links to control the route that email trafc takes to a remote Active Directory site without affecting other intersite trafc. n Send connectors send email trafc to specied destinations. You can control the characteristics of this trafc by conguring Send Connector parameters. n Receive connectors listen for incoming trafc from specied sources on a specic IP address and TCP port. You can accept or reject email messages depending on how you congure your Receive connectors. n You can use TLS and MTLS to encrypt and authenticate email trafc. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 2, “Setting Up Message Routing.” The questions are also available on the companion CD if you prefer to review them in electronic form. NOTE ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 1. You want to designate the Active Directory site MySite as a hub site for the purposes of Exchange message routing. What EMS command do you enter? A. Get-AdSite -Identity MyADSite -HubSiteEnabled $true B. Get-AdSiteLink -Identity MyADSite -HubSiteEnabled $true Lesson 2: Setting Up Message Routing Chapter 7 343 C. Set-AdSite -Identity MySite -HubSiteEnabled $true D. Set-AdSiteLink -Identity MyADSite -HubSiteEnabled $true 2. Email trafc from Active Directory site Site01 destined for Site03 currently passes through Site02. The Active Directory cost of the route from Site01 to Site03 through Site02 is 200. An alternative path exists through Site04, but the Active Directory cost of this route is 300. You want to ensure that email trafc from Site01 to Site03 is routed through Site04 rather than Site02. You do not want to affect other, non-Exchange network trafc. You want to implement this change by conguring the IP site link Site02-Site03. What EMS command do you use? A. Set-AdSiteLink -Identity Site02-Site03 -ExchangeCost 100 B. Set-AdSiteLink -Identity Site02-Site03 -ExchangeCost 400 C. Set-AdSite -Identity Site03 -ExchangeCost 400 D. Set-AdSite -Identity Site02 -ExchangeCost 400 3. You are creating a Send connector to send email to a domain with which you have established MTLS authentication. Which usage type would you specify? A. Custom B. Internal C. Internet D. Partner 4. You want to ensure that the maximum size of any email message sent to the contoso. com domain and all its subdomains is 5 MB. You have already congured a Send connector named ContosoSend that sends email to the *.contoso.com address space. What command recongures this Send connector to enforce this limitation? A. Set-SendConnector –Identity ContosoSend –MaxMessageSize 5MB B. Set-SendConnector –Identity ContosoSend –Usage Custom –MaxMessageSize 5MB C. Set-SendConnector –Identity ContosoSend –AddressSpace contoso.com,mail .contoso.com –MaxMessageSize 5MB D. Set-SendConnector –Identity ContosoSend –IsScopedConnector $true –MaxMessageSize 5MB 5. You want to create a Receive connector named MyRC with the Custom usage type. The connector listens for incoming SMTP connections on the IP address 10.10.123.123 and port 25. It accepts incoming SMTP connections only from the IP range 10.10.8.1 through 10.10.8.127. You want to set the authentication mechanism of the Receive connector to be Integrated Windows authentication. What command do you use to create this connector? A. Set-ReceiveConnector -Name MyRC -Usage Custom -Bindings 10.10.123.123:25 -RemoteIPRanges 10.10.8.1-10.10.8.127 –AuthMechanism Integrated B. Set-ReceiveConnector -Name MyRC -Usage Custom -Bindings 10.10.8.1-10.10.8.127 –RemoteIPRanges 10.10.123.123:25 AuthMechanism Integrated 344 Chapter 7 Routing and Transport Rules C. New-ReceiveConnector -Name MyRC -Usage Custom -Bindings 10.10.123.123:25 -RemoteIPRanges 10.10.8.1-10.10.8.127 –AuthMechanism Integrated D. New-ReceiveConnector -Name MyRC -Usage Custom -Bindings 10.10.8.1- 10.10.8.127 –RemoteIPRanges 10.10.123.123:25 AuthMechanism Integrated PR AC T I C E Conguring a Disclaimer In this practice session, you will use both the EMC and the EMS to add a disclaimer message to email messages sent by all users in your organization. EX E RC IS E 1 Using the EMC to Congure a Disclaimer In this exercise, you will use the EMC to add a disclaimer to all messages sent by all users in your Exchange organization. The disclaimer is appended to both internal and external messages. If, for any reason, the disclaimer cannot be added to a message, this is ignored, and the message is sent without the disclaimer. Carry out the following procedure: 1. Log on to the Hub Transport server VAN-EX1 with the Kim Akers account and start the EMC. 2. Expand Organization Conguration in the Console pane and click Hub Transport. 3. Click New Transport Rule on the Actions pane. This starts the New Transport Rule Wizard. 4. On the Introduction page shown in Figure 7-28, type the name Disclaimer01 and the comment “This adds a disclaimer.” Ensure that the Enable Rule check box is selected. Click Next. FIGURE 7-28 The Introduction page Lesson 2: Setting Up Message Routing Chapter 7 345 5. Because you want the disclaimer to be appended to all email messages from all your users, you should not make any changes on the Conditions page. Click Next. Click Yes to clear the Warning dialog box. 6. On the Actions page in the Step 1. Select Actions eld, select the Append Disclaimer Text And Fallback To Action If Unable To Apply check box. 7. In the Step 2. Edit The Rule Description By Clicking An Underlined Value eld, click Disclaimer Text. 8. In the Specify Disclaimer Text dialog box, type the disclaimer text message “All email sent by the Adatum Corporation has been checked by the latest antivirus software.” Figure 7-29 shows this dialog box. Click OK. FIGURE 7-29 Specifying the text for the disclaimer 9. In the Step 2. Edit The Rule Description By Clicking An Underlined Value eld, click Wrap. 10. In the Select Fallback Action dialog box, shown in Figure 7-30, click Ignore. Click OK. FIGURE 7-30 Specifying the fallback action 11. The Actions page should now look similar to Figure 7-31. Click Next. 12. You want to append the disclaimer to all email messages from all your users. Therefore, you should not make any changes on the Exceptions page. Click Next. 13. Review the Conguration Summary on the Create Rule page shown in Figure 7-32. If you are satised with the conguration of the new rule, click New. 14. On the Completion page, click Finish. 15. Optionally, use OWA to send email internally (for example, from Kim Akers to Don Hall). Check that the disclaimer message is added to all emails. 346 Chapter 7 Routing and Transport Rules FIGURE 7-31 Actions configured on the Actions page FIGURE 7-32 The Create Rule page Lesson 2: Setting Up Message Routing Chapter 7 347 EX E RC IS E 2 Using the EMS to Congure a Disclaimer In this exercise, you will rst delete the transport rule that you created in the previous exercise because it might affect the results of this exercise. You will then use the EMS to create a transport rule that applies the disclaimer “The Adatum Corporation is committed to quality and all of our products bear the appropriate kite mark.” to all messages sent outside the Adatum organization. The transport rule sets the fallback action to Reject. Carry out the following procedure: 1. If necessary, log on to the Hub Transport server VAN-EX1 with the Kim Akers account and start the EMS. 2. Enter the following command: Remove-TransportRule Disclaimer01 3. When prompted, enter Y to conrm this action. 4. Enter the following command: New-TransportRule -Name Disclaimer02 -Enabled $true -SentToScope 'NotInOrganization' -ApplyHtmlDisclaimerText "The Adatum Corporation is committed to quality and all of our products bear the appropriate kite mark." -ApplyHtmlDisclaimerFallbackAction Reject Figure 7-33 shows these commands. FIGURE 7-33 Using the EMS to configure a disclaimer PR AC T I C E Creating Send and Receive Connectors In this practice session, you will use the EMC to create a Send connector and the EMS to create a Receive connector on the Hub Transport server VAN-EX1. EX E RC IS E 1 Using the EMC to Create a Send Connector In this exercise, you will create a Send connector with the Custom usage type that sends email internally within the Adatum Exchange organization. Carry out the following procedure: 1. Log on to the Hub Transport server VAN-EX1 with the Kim Akers account and start the EMC. 2. Expand Organization Conguration in the Console pane and click Hub Transport. 348 Chapter 7 Routing and Transport Rules 3. On the Actions pane, click New Send Connector. This starts the New SMTP Send Connector Wizard. 4. In the Name box, enter AdatumSendConnector. Ensure that the Intended Use For This Send Connector drop-down box is set to Custom and click Next. 5. On the Address Space page, click Add. In the SMTP Address Space dialog box, enter Adatum.com in the Address box and select the Include All Subdomains check box. Ensure the Type is SMTP and Cost is 1. Figure 7-34 shows this dialog box. Click OK. FIGURE 7-34 The SMTP Address Space dialog box 6. The Address Space page should look similar to Figure 7-35. Click Next. FIGURE 7-35 The configured Address Space page 7. On the Network Settings page, select the Use DomainName System (DNS) ”MX” Records To Route Mail Automatically option. Click Next. 8. On the Source Server page, ensure that the server VAN-EX1 is selected and click Next. Lesson 2: Setting Up Message Routing Chapter 7 349 9. Check the settings on the New Connector page. They should be similar to Figure 7-36. Click New. FIGURE 7-36 Settings for the new connector 10. On the Completion page, click Finish. EX E RC IS E 2 Using the EMS to Create a Receive Connector In this exercise, you will use the EMS to create a Receive connector named AdatumReceiveConnector with the Custom usage type. This connector receives internal email from within the Adatum Exchange organization. The Receive connector listens on IP Address 10.10.0.10 and on TCP port 24, which is the TCP port used for private mail. It accepts email messages from any source within the address range 10.10.10.1 through 10.10.10.255. It uses Integrated Windows Authentication as its authentication mechanism. Carry out the following procedure: 1. If necessary, log on to the Hub Transport server VAN-EX1 with the Kim Akers account and start the EMS. 2. Enter the following command: New-ReceiveConnector -Name AdatumReceiveConnector -Usage Custom -Bindings 10.10.10.10:24 -RemoteIPRanges 10.10.10.0/24 –AuthMechanism Integrated Figure 7-37 shows the output of this command. FIGURE 7-37 Creating the AdatumReceiveConnector Receive connector 350 Chapter 7 Routing and Transport Rules Chapter Review To further practice and reinforce the skills you learned in this chapter, you can perform the following tasks: n Review the chapter summary. n Review the list of key terms introduced in this chapter. n Complete the case scenarios. These scenarios set up real-world situations involving the topics of this chapter and ask you to create a solution. n Complete the suggested practices. n Take a practice test. Chapter Summary n Transport rules and transport protection rules enable you to apply messaging policies that both control and protect email messages. Moderated transport permits a nominated person or group to check and approve messages sent to users and distribution groups. n Exchange costs on IP site links can be used to route intersite email trafc. Send connectors send email trafc both within your organization and to other organizations. Receive connectors enable your Transport servers to receive trafc from specied sources over specied TCP ports. n You can congure parameters on Send and Receive connectors to control the trafc your users send and receive. TLS and MTLS can encrypt and authenticate sensitive trafc. Key Terms Do you know what these key terms mean? n Edge rules agent n Information Rights Management (IRM) n Messaging policy n Moderated email n Mutual Transport Layer Security (MTLS) n Outlook protection rule n Receive connectors n Regular expression n Rights Management Services (RMS) n RMS prelicensing agent n Send connectors [...]... name? A New-AddressRewriteEntry B New-AcceptedDomain C New-EmailAddressPolicy D New-AddressList 5 Which of the following EMS cmdlets would you use to configure transport dumpster settings on your organization’s Hub Transport servers? B Set-TransportAgent C Set-TransportConfig A Set-TransportServer D Set-SendConnector Lesson 1: Hub Transport Servers Chapter 8 367 Lesson 2: Edge Transport Servers... script on VAN-EX-B C Run the ImportEdgeConfig.ps1 script on VAN-EX-A 3 74 A Run the ExportEdgeConfig.ps1 script on VAN-EX-A D Run the ExportEdgeConfig.ps1 script on VAN-EX-B Chapter 8 Configuring Transport Servers 4 You are about to perform the EdgeSync process between an Edge Transport server named VAN-ET and a Hub Transport server named VAN-HT Which of the following commands would you run as a part... accomplish this goal? B New-ForeignConnector C New-SendConnector 3 66 A New-RemoteDomain D New-AcceptedDomain Chapter 8 Configuring Transport Servers 3 You are configuring Exchange to accept incoming email for the domain Fabrikam com Messages to addresses in Fabrikam.com are delivered to mailboxes hosted on your ­ rganization’s Exchange Server 2010 mailbox servers Which of the following o should you configure... n Remove-SendConnector n New-AcceptedDomain n Set-AcceptedDomain n Remove-AcceptedDomain n New-MessageClassification n Set-MessageClassification n Remove-MessageClassification n New-RemoteDomain n Set-RemoteDomain n Remove-RemoteDomain If you want to create an additional send connector after you have configured an edge transport solution, you need to create it within the Exchange organization The new... following: n Installed servers VAN-DC, VAN-EX1, and VAN-EX2 as described in the Appendix n Prepare an additional server running Windows Server 2008 R2 Enterprise ­ dition e u ­ sing the default configuration Ensure that you configure this server with two s ­ eparate network adapters Do not join this computer to a domain Set the A ­ dministrator account password to Pa$$w0rd Chapter 8 355 REAL WORLD Orin... will learn more about high availability in Chapter 13, Exchange High-Availability Solutions.” Lesson 1: Hub Transport Servers Chapter 8 357 MORE INFO  HUB TRANSPORT SERVERS For a more detailed overview of Hub Transport servers, consult the following link on T ­ echNet: http://technet .microsoft. com/en-us/library/bb123494.aspx Accepted Domains An Exchange organization can accept messages for a particular... Introduction Take a Practice Test Chapter 7 353 CHAPTER 8 Configuring Transport Servers T ransport servers are responsible for routing messages in an Exchange 2010 organization There are two different types of transport server Hub Transport servers route ­ essages m within the organization, moving messages from site to site and delivering messages to mailboxes Edge Transport servers route messages sent to and... Which of the following commands would you run as a part of that process? (Choose 2; each answer forms part of the solution.) A Start-EdgeSynchronization on VAN-HT B Start-EdgeSynchronization on VAN-ET C New-EdgeSubscription on VAN-HT D New-EdgeSubscription on VAN-ET 5 Your organization uses a multitude of different internal email addresses based on which business unit a user is located in You want... ransport server T Lesson 2: Edge Transport Servers Chapter 8 369 When configuring the firewall between the screened subnet and the internal network, you will need to open port 25 between the Hub Transport and Edge Transport servers to allow for the transmission of messages To allow the EdgeSync process to function, you need to open TCP port 50 636 between the Edge Transport server and the Hub Transport servers... Transport server resides You have opened port 25 between the Edge Transport server and the Hub Transport servers on your internal network Which other ports should you open to  support the EdgeSync synchronization process? A TCP port 443 B TCP port 110 C TCP port 50 636 D TCP port 80 3 Your organization’s Edge Transport server, VAN-EX-A, recently failed While the server was unavailable, users were unable . Site02-Site03 -ExchangeCost 100 B. Set-AdSiteLink -Identity Site02-Site03 -ExchangeCost 400 C. Set-AdSite -Identity Site03 -ExchangeCost 400 D. Set-AdSite -Identity Site02 -ExchangeCost 400 3. You are. Set-ReceiveConnector -Name MyRC -Usage Custom -Bindings 10.10.123.123: 25 -RemoteIPRanges 10.10.8. 1-1 0.10.8.127 –AuthMechanism Integrated B. Set-ReceiveConnector -Name MyRC -Usage Custom -Bindings. $true Set-Content -Path "C:RequestsCertRequest01.req" -Value $Request MORE INFO NEW-EXCHANGECERTIFICATE AND GET-EXCHANGECERTIFICATE For more information about the New-ExchangeCerticate