Professional Documents
Culture Documents
The Exchange Product group developed the Edge Transport Server to give Enterprise
organizations powerful out-of-the-box protection against spam without needing to invest in a 3rd
party anti-spam solution. The messaging hygiene features in the Edge Transport server role are
agent-based and consist of multiple filters which are frequently updated. Although the primary
role of the Edge Transport server is to route mail and do message hygiene, it also includes
features that will let you do other things such as rewrite SMTP addresses, configure transport
rules, enable journaling and associated disclaimers, etc.
It is important to understand that by default the Edge Transport server only filters out spam
messages and other unwanted mail using the built in agents. This means that this Exchange 2007
Server role does not perform any filtering when it comes to mail-borne viruses. To filter virus
infected messages using the Edge Transport server, you must install Forefront Security for
Exchange or a 3rd party product on the server.
Deployment Considerations
The Edge Transport Server role in Exchange Server 2007 is designed to be installed in your
organization’s perimeter network (aka DMZ or screened subnet). The Edge Transport Server is
the only Exchange 2007 server role that should not be part of your corporate Active Directory on
your internal network; it should instead be installed on a stand-alone server in a workgroup or as
a domain member in an Active Directory dedicated to servers located in the perimeter network as
shown in Figure 1.
Although the Edge Transport server role has been designed to provide improved anti-spam and
antivirus protection for an Exchange 2007 organization, you can deploy this server role in an
existing Exchange 2003 organization as well. Since you install the Edge Transport server role on
a stand-alone machine in the perimeter network (aka DMZ or screened subnet), this is even a
relatively simple task. But even though you would be able to use the Edge Transport server role
as a smart host or an SMTP relay server in an Exchange 2003 organization, you will not be able
to replicate configuration and recipient data from Active Directory to ADAM using EdgeSync as
this requires an Exchange 2007 Hub Transport server on the internal network. However, this
doesn’t hinder you from using the filtering agent that doesn’t rely on the EdgeSync service. If
you only use the Intelligent Message Filter (IMF) in your Exchange 2003 organization,
deploying an Edge Transport server in the perimeter network (aka DMZ or screened subnet)
would make sense, since it would provide an additional layer of anti-spam protection. And as
mentioned previously, you could also install Forefront Security for Exchange Server on the Edge
Transport server in order to filter out virus infected messages.
Like is the case with the Exchange 2007 Hub Transport server, the Edge Transport server has its
own Jet Database to process the delivery of inbound as well as outbound E-mail messages. When
inbound E-mail messages are stored in the Jet database and are ready for delivery, the Edge
Transport server lookups the respective recipient(s) in the ADAM store that as mentioned,
among other things contains recipient data replicated from the Active Directory using the
EdgeSync service.
In a scenario where you have deployed multiple Edge Transport servers in your organization, the
Edge Transport servers uses DNS round robin (which is supported by most DNS servers today)
to network and load-balance network traffic between the servers. I leave the details on how to
deploy multiple Edge Transport servers using load balancing and a high availability approach for
another article.
Introduction
In the first part of this article series, we took a look at Microsoft’s vision with the Edge Transport
server role as well as talked about why you might want to consider deploying it in your
organization. In this part we will go through the steps necessary in order to deploy a single basic
Edge Transport server in an Exchange 2007 based messaging infrastructure.
Prerequisites
In order to follow along with the deployment steps in this article, you need to have the following
ready in your lab environment:
• An Exchange 2007 SP1 organization where you have deployed at least one Hub
Transport server
• Have a Windows Server 2003 SP1 or Windows Server 2008 Standard edition ready (the
server on which we will install the Edge Transport server role)
In order to generate the Edge Subscription file, we need use the New-EdgeSubscription CMDlet
(no GUI exists for this step!). To do so open the Exchange Management Shell (EMS) on the
Edge Transport server itself, then type:
New-EdgeSubscription –file “C:\EdgeSubscriptionFile.xml” (or whatever you want to name the
file as the name of the file doesn’t have any impact on anything), then hit Enter as shown in
Figure 1.
Importing the Edge Subscription file will establish an authenticated communication channel as
well as complete the Edge Subscription process by beginning an initial replication. The Send
connector which is used when messages are sent to the Internet via the Edge Transport server is
created by default. In addition the EdgeSync service will replicate Send Connector configuration,
Accepted Domains, Remote Domains, Safe Sender lists as well as Recipient data (SMTP address
including Contacts, Distribution Lists and proxy addresses) from Active Directory to the ADAM
store.
We will now be taken to the New Edge Subscription Wizard, where we have to specify the
Active Directory site in which the Edge Transport server will become a member. If you only
have one site select Default-First-Site-Name. If your Exchange organization is deployed across
multiple sites, click the drop-down list and choose the respective site.
If your Active Directory topology consists of multiple Active Directory sites, it is recommend
you import the Edge Subscription file on a Hub Transport server that is located in the site which
got the best network connectivity to the perimeter network in which the Edge Transport server is
deployed.
Now specify the location of the Edge Subscription file by clicking Browse, and then click New
(Figure 4).
Anti-spam feature E2K3 RTM E2K3 SP1 E2K3 SP2 E2K7 RTM/SP1
IP Allow and Deny List Yes Yes
Note:
In addition to the anti-spam features listed in the table above, the Edge Transport server has full
support for antivirus scanning products such as Forefront Security for Exchange server and the
most popular 3rd party products.
The anti-spam features on the Edge Transport server are known as filtering agents, you can see a
list of these agents in Figure 1.
Figure 1: Filtering Agents on the Edge Transport Server
Although we specifically cover the Edge Transport Server role in this articles series, you can
actually install them on a Hub Transport Server as well. Yes that is right! It is done by opening
the Exchange Management Shell, then type: CD C:\Program Files\Microsoft\Exchange
Server\Scripts. Now type .\Install-AntispamAgents.ps1. When the script has finished, you can
control the anti-spam agent settings under Organization Configuration | Hub Transport |
Anti-spam tab in the Exchange Management Console, as shown in Figure 2.
Figure 2: Installing the Filtering Agents on the Hub Transport Server
When an SMTP session is established between an external SMTP server and the Edge Transport
server, the filters listed in Figure 1 are applied in a specific order. In the next section, I’ll show
you in which order the different filters are applied.
The Connection Filtering Agent
When an SMTP session is established to the Edge Transport Server the first filter applied is the
Connection Filter. The Connection Filtering agent will first check whether the IP address of the
external SMTP server is listed on the IP Allow List, which is shown in Figure 3.
Note:
You can both specify individual IP addresses as well as a range of IP addresses under the
Allowed Addresses tab on the IP Allow List property page (see Figure 3).
Figure 3: IP Allow List
If the IP address is listed here the SMTP server will be allowed to connect and transmit E-mail
messages to the Exchange 2007 organization, but the E-mail message(s) will be sent to the
Sender Filtering agent for further processing.
If the IP address of the SMTP server is not listed on the IP Allow List, the Connection Filtering
agent will check whether the server is listed on the IP Block list shown in Figure 4.
Figure 4: IP Block List
If the IP address of the SMTP server is listed on the IP Block List, connections from the server
will be refused.
Note:
A neat little improvement to the IP Address Block list is that you now can set an expiration date
and time for an individual IP address or a range of IP addresses, this was not possible back in
Exchange Server 2003 SP2. If the IP address of the SMTP server is not listed on either the IP
Allow list or the IP Block list, the Connection Filtering agent will check whether the IP address
is allowed by any IP Allow List provider you may have specified (see Figure 5).
Figure 5: IP Allow List Providers
An IP Allow List provider is a provider which maintains a list of sender domains/IP addresses
that you can rely on sends legitimate E-mail messages and not spam. You can specify multiple IP
Allow List providers and even specify how the miscellaneous provider features should interpret
the returned status.
If the SMTP server is not listed on any of the lists above, the Connection Filtering agent will do
one last check, before it allows the SMTP connection. It will check whether the server is listed
on any real-time blocklists (RBLs), you may have specified under the Providers tab on the IP
Block List providers property page (see Figure 6).
Figure 6: Adding an IP Block List Provider
For those who should not know, an RBL is an Internet-based service, which tracks systems (and
then adds that system’s IP address to a public list) that are known to or suspected of sending out
spam. You can read more about what RBLs are as well as how they work at Wikipedia –
DNSBL. In addition you can find a list of RBLs here.
In addition to specifying IP Block List providers, you can also enter a custom error messages that
should be returned to the blocked SMTP server. Last but not least there is an Exceptions tab
under which you can specify IP addresses to which E-mail messages should not be blocked
regardless of the feedback from the RBL.
The Sender Filtering Agent
When the connection filtering agent has processed the SMTP connection the next filtering agent
involved is Sender Filtering which will check the E-mail address of the sender against the list of
Email addresses or domains, you may have specified under the Sender Filtering property page
(see Figure 7).
Figure 10: Edge Transport Server with Recipient Filtering Agent Enabled
The SMTP Tarpitting feature was originally introduced back in Exchange Server 2003, in
Exchange 2003 the administrator had the option of specifying a tarpit value in which he could
define the number of seconds to delay a response to the RCPT TO command during an SMTP
session. The problem in Exchange 2003 was that this value was fixed, which enabled the
spammers to detect this behavior so they could work around it. A common practice was in fact to
have the spam application establish a new SMTP session, if it detected it was being tarpitted. To
solve this problem the Edge Transport server uses a random number of seconds, making
predictions much harder. Event if the spam application reconnects it won’t be in better shape as
the Edge Transport server will know it’s the same sending server, so it will retain the tarpit state.
The Sender ID Filtering Agent
ad ve rt is em en t
When an E-mail message has been processed by the Recipient Filtering agent and still has not
been rejected, it will be handed over to the Sender ID Filtering agent.
For those who do not know, the Sender ID is an e-mail industry initiative invented by Microsoft
and a few other industry leaders. The purpose of Sender ID is to help counter spoofing (at least
to make it more difficult to spoof messages), which is the number one deceptive practice used by
spammers. Sender ID works by verifying every e-mail message indeed originates from the
Internet domain from which it was sent. This is accomplished by checking the address of the
server sending the mail against a registered list of servers that the domain owner has authorized
to send e-mail.
If you do not have any experience with Sender ID, it can be a bit difficult to understand, so let
me try to explain how it works.
An organization can publish a Sender Policy Framework (SPF) record on the public DNS
server(s) hosting their domain. The published SPF record contains a list of the IP addresses that
should be/are allowed to send out messages for a particular domain. If a particular organization
has published a SPF record, and someone at that organization sends a message to a recipient
behind an Edge Transport server in another organization, the Edge Transport server will examine
the SPF record in order to see whether the SMTP server that sends the message is listed here.
You can add additional File Extensions or File Names to this list using the Add-
AttachmentFilterEntry CMDlet, if you wanted to filter out zip files, you would need to run the
following command: Add-AttachmentFilterEntry -Name *.zip -Type FileName. If you want
to filter out messages with a specific MIME type such GIF files, you would need to type: Add-
AttachmentFilterEntry -Name image/gif -Type ContentType. If you want to filter out
messages that contain an attachment with a specific file name, let’s for example say a file name
called dangerous_file, you should type: Add-AttachmentFilterEntry -Name dangerous_file
-Type FileName.
If you later on want to remove an attachment filter entry, you do so using the Remove-
AttachmentFilterEntry CMDlet. If you for example wanted to remove the zip attachment filter
entry, you would need to type: Remove-AttachmentFilterEntry –Identity filename: *.zip.
That is pretty simple right?
In order to be able to use more advanced features such as scanning files in a ZIP file, you would
need to install Forefront Security for Exchange Server (which we will talk a bit about later in this
chapter) or a supported 3rd party product.
As mentioned you can either choose to block a whole message including the attachment (will
return a delivery status notification to the sender), strip the attachment but allow message
through (will replace the attachment with a text file explaining why the attachment was stripped)
or silently delete both the message as well as the attachment (will delete both without notifying
the sender).
You can also configure a custom response message that will be included in the delivery status
notification, which is returned to the sender when a message and an attached file are blocked.
This is done using the Set-AttachmentFilterListConfig CMDlet. An example could be: Set-
AttachmentFilterListConfig –Action Reject -RejectResponse "This message has been
rejected since the attached file type isn’t allowed in this organization”.
Note:
All attachment filter entries on an Edge Transport server uses the same attachment filtering
behavior, that means same custom response message as well as action (Reject, Strip or
SilentDelete).
If you only want to strip the attachment but allow the message through, you would need to type:
AttachmentFilterConfigList –Action Strip. If you want to include a custom admin message in
the text file that replaces the stripped attachments, you would need to type:
AttachmentFilterConfigList –Action Strip –AdminMessage “The attachment in this
message has been filtered as it’s not allowed in this organization. Finally in order to silently
delete both the message and attachment use: AttachmentFilterConfigList –Action
SilentDelete.
The last thing I wanted to mention concerning the Attachment Filtering agent is that you can
exclude a list of connectors from attachment filtering, which means that attachment filtering isn’t
applied to messages flowing through the specified connectors. You can exclude one or more
connectors using Set-AttachmentFilterListConfig –Action Reject –ExceptionConnectors
<Connector_GUID>. To get the GUID for a receive connector type: Get-ReceiveConnector |
FL.
If you want to see a list of the current settings for AttachmentFilterListConfig, type Get-
AttachmentFilterListConfig and hit Enter (see Figure 6).
In part 4 and 5, we went through the antispam agents included with the Edge Transport server
role. I explained in which order the agents trigger on an inbound message as well as provided
miscellaneous tips and tricks in regards to the configuration of the agents and this Exchange
2007 server role in general. Next time, I will give you an insight into how you can deploy a load
balanced Edge Transport server setup in your perimeter network. Until then, take care.
Introduction
In most Enterprises around the world, e-mail is the most mission critical application. Thousands,
and in some cases even millions, of messages are sent and received by users within large
enterprises on a daily basis. In addition, internal line of business applications and so on, are
dependent on being able to successfully relay messages through the Exchange 2007 Hub
Transport servers deployed within the enterprise. This would mean that you must deploy a solid
and responsive Exchange 2007 transport infrastructure, that is not only redundant but also load
balanced at all levels.
These large enterprises typically receive just as many messages from external recipients such as
business partners and customers. Because of this, the Internet facing mail gateways located in the
perimeter network should be just as solid and responsive as the internally deployed transport
infrastructure. The Internet mail gateways should be available at all times, and just as
importantly, configured in a load balanced manner so that inbound messages are distributed
equally across the servers.
In this article I will describe how you can configure your Exchange 2007 Edge Transport servers
with redundancy and load balancing in mind. Actually, the steps in this article can be used for
almost any type of Internet mail gateway solution you may have or may wish to deploy in your
environment.
The Solution
For the purpose of this article, the described environment consists of an Internet mail gateway
solution consisting of four Exchange 2007 Edge Transport servers spread across two datacenters.
Both datacenters are active as shown in Figure 1.
In part 6 (which by the way was the last one) in this article series uncovering the Edge Transport
server roles, I explained how you can archive true redundancy and load balancing for the
message flow between the Internet and the Edge Transport servers located in the perimeter
network as well as from there to the AD sites containing your Hub Transport servers.