深入探討 exchange server 2007 sp1 傳輸及路由架構 馮立偉台灣微軟特約講師
TRANSCRIPT
深入探討深入探討 Exchange server 2007 Exchange server 2007 SP1 SP1 傳輸及路由架構傳輸及路由架構
馮立偉馮立偉台灣微軟特約講師台灣微軟特約講師
Level 300
課程需求課程需求 使用過 Microsoft Exchange Server 2007,
2003, 或 Exchange 2000 Server 之 IT 人員
使用及設定過 Exchange 200x 路由拓墣
議程議程• MicrosoftMicrosoft®® Exchange Server 2007 Exchange Server 2007 傳輸架傳輸架
構構• 比較 比較 Exchange 2007 Exchange 2007 跟之前版本在傳輸及跟之前版本在傳輸及
路由上之差異路由上之差異• Exchange Server 2007 Exchange Server 2007 路由結構路由結構• MicrosoftMicrosoft®® Exchange 2000 Server/ Exchange 2000 Server/
MicrosoftMicrosoft®® Exchange Server 2003 Exchange Server 2003 互通互通性探討性探討
• Troubleshooting Troubleshooting 路由工具路由工具• Exchange Server 2007 Edge transport Exchange Server 2007 Edge transport
角色角色
Exchange Server 2007 Exchange Server 2007 傳輸系統架構傳輸系統架構
Hub Transport
MAPI RPC
User &Config Data
Mailbox Server
Mailbox Server
MailboxServer
AD
Mailbox Server
Edge Transport
EdgeSync EdgeSync
Recip SMTP AddressesPer User SAFE Sender Lists
ETC.SecureLDAP
ADAM
User,Connector &Config Data
Hub Transport
MAPI RPC
傳輸伺服器架構傳輸伺服器架構
•From:From:•To:To:
•1. User composes 1. User composes message in Microsoftmessage in Microsoft®® Office OutlookOffice Outlook®® and it is and it is stored in users Outboxstored in users Outbox
•2. Mailbox submission 2. Mailbox submission service listens for store service listens for store event notification of new event notification of new message and notifies an message and notifies an in-site Hub Transportin-site Hub Transport
•RPRPCC
•3. Hub Transport 3. Hub Transport retrieves message from retrieves message from sender’s mailbox and sender’s mailbox and submits to queuesubmits to queue
•4. Hub Transport 4. Hub Transport categorizes message and categorizes message and applies message policiesapplies message policies
•5. Hub Transport 5. Hub Transport delivers message to Hub delivers message to Hub Transport server in Transport server in target Active Directory target Active Directory sitesite
•6. Hub Transport delivers 6. Hub Transport delivers message to mailbox message to mailbox server in target Active server in target Active DirectoryDirectory®® site site
Mailbox
Mailbox
Hub Transport
Hub Transport
Hub Transport Hub Transport 角色角色
• Predictable routing reduces Predictable routing reduces maintenancemaintenance
• One Hub server per site where Mailbox One Hub server per site where Mailbox role deployedrole deployed
• Connectivity to Exchange 2003 Connectivity to Exchange 2003 through Connectorsthrough Connectors
Hub Transport Hub Transport 角色 角色 (2)(2)
• Confidential and tamper-proof Confidential and tamper-proof communicationscommunications
• Retain the communications you need for Retain the communications you need for compliance and nothing elsecompliance and nothing else
• Enable users to comply with regulatory Enable users to comply with regulatory policiespolicies
• Highly available messaging Highly available messaging reduces downtimereduces downtime
Administering the Hub Administering the Hub Transport Server RoleTransport Server Role
• Define connectorsDefine connectors• Transport rulesTransport rules• Ethical firewallEthical firewall
Exchange 2000/2003 vs. Exchange 2000/2003 vs. Exchange 2007Exchange 2007
Exchange 2000/2003 vs. Exchange 2000/2003 vs. Exchange 2007 Exchange 2007 ContinuedContinued
停止支援的外部連接器停止支援的外部連接器
• GroupWiseGroupWise
• X.400X.400
• Lotus NotesLotus Notes
• Other third-party messaging systemsOther third-party messaging systems
Exchange Server 2007 Exchange Server 2007 路路由由• Direct connections (point-to-point routing)Direct connections (point-to-point routing)
– Prefer direct IP connection between source and Prefer direct IP connection between source and destinationdestination
– Based on Active Directory site topology and site link costsBased on Active Directory site topology and site link costs– Queue mail as close to destination as possibleQueue mail as close to destination as possible
• Deterministic routingDeterministic routing– Simplify design to follow a consistent pattern make Simplify design to follow a consistent pattern make
planning and troubleshooting easierplanning and troubleshooting easier– No longer relies on Exchange Link State informationNo longer relies on Exchange Link State information– Optimize bytes over the wire by bifurcating based on Optimize bytes over the wire by bifurcating based on
routeroute
• Simplify deploymentSimplify deployment– Automatic configurationAutomatic configuration– Consolidated topology conceptsConsolidated topology concepts
Routing TopologyRouting Topology
Perimeter
Intranet
Site A Site B
Site C
EdgeSync over 1389
ADAD 站台是路由邊界站台是路由邊界
• Automatic load balancing and fault toleranceAutomatic load balancing and fault tolerance–Mailbox will load balance submissions across all Hubs in local Mailbox will load balance submissions across all Hubs in local
Active Directory site Active Directory site • When mailbox and Hub roles coexist on same server, local When mailbox and Hub roles coexist on same server, local
Hub preferredHub preferred–Hub will load balance connections across all Hubs in remote Hub will load balance connections across all Hubs in remote
Active Directory siteActive Directory site–Hub will deliver to any mailbox in local Active Directory siteHub will deliver to any mailbox in local Active Directory site
• Uses the Active Directory site topology to calculate back-offUses the Active Directory site topology to calculate back-off–Direct connect FIRST, unless forced through Hub SitesDirect connect FIRST, unless forced through Hub Sites–Provides for queuing at the point of failureProvides for queuing at the point of failure–Availability information is not cachedAvailability information is not cached• Always try all Hub servers within remote Active Directory site Always try all Hub servers within remote Active Directory site
before back-offbefore back-off• Each new connection uses same algorithmEach new connection uses same algorithm–When bifurcation (delayed fan-out) is required When bifurcation (delayed fan-out) is required
Cos
t = 1
00
Cost = 100
Cost = 100
Cost = 100
Cost = 100 Site 1 Site 2
Site 3
Site 11 Site 21•Direct ConnectDirect Connect
•Backoff Route #1Backoff Route #1•Backoff Route #2Backoff Route #2
•Final BackoffFinal Backoff
•OriginatorOriginator•Recipient #1Recipient #1
ADAD 站台間 站台間 ““最佳最佳” ” 路由路由
Cos
t = 1
00
Cost = 100
Cost = 100
Cost = 100
Cost = 100
Cost =
100
Site 1 Site 2
Site 3
Site 11 Site 21
Site 31
路由上 路由上 Bifurcation Bifurcation 效應效應 (1)(1)
•Direct ConnectDirect Connect •Direct ConnectDirect Connect
•Direct ConnectDirect Connect
•BifurcateBifurcate
•OriginatorOriginator
•Recipient #2Recipient #2
•Recipient #1Recipient #1
Cos
t = 1
00
Cost = 100
Cost = 300
Cost = 100
Cost = 100
Cost =
100
Site 1 Site 2
Site 3
Site 11 Site 21
Site 31
路由上 路由上 Bifurcation Bifurcation 效應效應 (2)(2)
•Direct ConnectDirect Connect •Direct ConnectDirect Connect
•Direct ConnectDirect Connect
•BifurcateBifurcate
•OriginatorOriginator
•Recipient #2Recipient #2
•Recipient #1Recipient #1
Override Override 預設 預設 AD AD 拓樸拓樸
• Can specify Active Directory hub sitesCan specify Active Directory hub sites– Useful in hub/spoke topologies and Useful in hub/spoke topologies and
where firewalls prevent direct where firewalls prevent direct connectionsconnections
• Can override IP site link costs with Can override IP site link costs with Exchange-specific costsExchange-specific costs– Overrides default IP site link object cost Overrides default IP site link object cost
used to build Active Directory replication used to build Active Directory replication topologytopology
– Allows routing to pick more optimal Allows routing to pick more optimal routes routes if Active Directory site link topology is not if Active Directory site link topology is not efficientefficient
Explicit Hub SitesExplicit Hub Sites• Intermediate Active Directory site must exist along the least Intermediate Active Directory site must exist along the least
cost route between sender and recipient Active Directory cost route between sender and recipient Active Directory sitesite
• Active Directory site must contain an Exchange 2007 server Active Directory site must contain an Exchange 2007 server with Hub rolewith Hub role
• Use Set-ADSite with ‘HubSiteEnabled:$TRUE’Use Set-ADSite with ‘HubSiteEnabled:$TRUE’
Site Link with Exchange Site Link with Exchange CostCost• Configures an Exchange-specific cost Configures an Exchange-specific cost
to the Active Directory IP site link to the Active Directory IP site link • Get, Set-AdSiteLink (-ExchangeCost)Get, Set-AdSiteLink (-ExchangeCost)
Cos
t = 1
00
Cost = 100
Cost = 300
Cost = 100
Cost = 100
Cost =
100
Site 1 Site 2
Site 3
Site 11 Site 21
Site 31
使用使用 Explicit Hub Explicit Hub 站台站台
•Direct ConnectDirect Connect •Direct ConnectDirect Connect
•Direct ConnectDirect Connect
•BifurcateBifurcate
•OriginatorOriginator
•Recipient #2Recipient #2
•Recipient #1Recipient #1
•Site1, Site2, and Site3 all designated as explicit Hub sitesSite1, Site2, and Site3 all designated as explicit Hub sites
•Direct ConnectDirect Connect
•Direct ConnectDirect Connect
Exchange Server 2007 – Exchange Server 2007 – Exchange 2000/2003 Exchange 2000/2003 路由路由• All Exchange 2007 servers are within a single routing group All Exchange 2007 servers are within a single routing group • Introduction of first Exchange 2007 Hub role results in creation Introduction of first Exchange 2007 Hub role results in creation
of routing group connectors (single source/target bridgehead on of routing group connectors (single source/target bridgehead on each)each)– Add source and target bridgehead servers for fault tolerance and Add source and target bridgehead servers for fault tolerance and
load balancing between these two connected routing groupsload balancing between these two connected routing groups– Exchange 2003 Routing Group Connector (RGC) bridgehead cannot Exchange 2003 Routing Group Connector (RGC) bridgehead cannot
be a clusterbe a cluster• Exchange 2007 Routing to Exchange 2000/2003 recipientExchange 2007 Routing to Exchange 2000/2003 recipient
– Chooses least cost RGC route to Exchange 2003 recipient based on Chooses least cost RGC route to Exchange 2003 recipient based on routing group connector costs (Active Directory cost not included)routing group connector costs (Active Directory cost not included)
– Chooses least cost route within the Exchange 2007 routing group to Chooses least cost route within the Exchange 2007 routing group to
the Active Directory site containing RGC “bridgehead” based upon the Active Directory site containing RGC “bridgehead” based upon Active Directory site link costActive Directory site link cost
• Exchange 2000/2003 routing to Exchange 2007 recipientExchange 2000/2003 routing to Exchange 2007 recipient– Server picks least cost route to the Exchange 2007 Routing Server picks least cost route to the Exchange 2007 Routing
Group regardless of Active Directory site where recipient mailbox Group regardless of Active Directory site where recipient mailbox locatedlocated
– Exchange 2007 “bridgehead” routes within Exchange 2007 Routing Exchange 2007 “bridgehead” routes within Exchange 2007 Routing Group to the Active Directory site containing recipient mailbox Group to the Active Directory site containing recipient mailbox based upon Active Directory site link costbased upon Active Directory site link cost
Exchange 2007 Exchange 2007 傳輸拓樸傳輸拓樸
Cost = 100
Cost = 100
Cost = 100
Cost = 100
Site 1 Site 2
Site 11
Site 12
Site 13 Site 23
Exchange Routing Group (DWBGZMFD01QNBJR)
Exchange 2003 Routing Group 13
Exchange 2003 Routing Group 1
Exchange 2003 Routing Group 2
Exchange 2003 Routing Group 23
RGCCost=10
RGCCost=10
RGCCost=10
E2K7
E2K7E2K7
E2K7
E2K7
E2K7
Routing Group Connector
(RGC)Cost=10
E2K7
E2K7
RGCCost=10
RGCCost=10
RGCCost=10
•Recipient #2Recipient #2
•Recipient #1Recipient #1•Disable Link State on all E2K/E2K3 Servers!!!Disable Link State on all E2K/E2K3 Servers!!!
•BifurcatBifurcatee
•OriginatorOriginator
停用停用 Link StateLink State• Suppresses communication of minor Suppresses communication of minor
link state changes (link up or down)link state changes (link up or down)• Used when you have multiple routes Used when you have multiple routes
to/from the Exchange 2007 Routing to/from the Exchange 2007 Routing GroupGroup
• Must be done to every Exchange 200x Must be done to every Exchange 200x server in the organization to prevent server in the organization to prevent loopsloops
• All versions only use least cost routeAll versions only use least cost route• Controlled via registryControlled via registry
HKLM\System\CurrentControlSet\Services\RESvc\ParametersHKLM\System\CurrentControlSet\Services\RESvc\ParametersDWORD: SuppressStateChangesDWORD: SuppressStateChangesValue: 1Value: 1
Dedicated ADDedicated AD 站台考量點站台考量點
• Dedicated Active Directory sites for Dedicated Active Directory sites for ExchangeExchange• Best practice in Exchange 2003 in many Best practice in Exchange 2003 in many
environmentsenvironments• In Exchange 2007 depends on customer In Exchange 2007 depends on customer
environmentenvironment
• Dedicated Active Directory resource Dedicated Active Directory resource criteria criteria for Exchange 2007for Exchange 2007• Is there a performance issue with competing Is there a performance issue with competing
applications?applications?• 32-bit versus 64-bit domain controllers (DCs) – 32-bit versus 64-bit domain controllers (DCs) –
number of mailboxesnumber of mailboxes• Mesh versus Hub and spoke replication architectureMesh versus Hub and spoke replication architecture• Number of sites with Exchange Servers <= 5Number of sites with Exchange Servers <= 5
Troubleshooting Troubleshooting 路由問題路由問題• Two main scenariosTwo main scenarios
– Determine route between server in Active Directory site Determine route between server in Active Directory site containing senders mailbox and recipientcontaining senders mailbox and recipient
– Determine what topologies changes have occurred Determine what topologies changes have occurred between two points in timebetween two points in time
• Routing log file created every time transport Routing log file created every time transport routing computes a new topologyrouting computes a new topology– Active Directory change notifications cause routing to Active Directory change notifications cause routing to
compute topologycompute topology– Routing compares new topology with current topology, Routing compares new topology with current topology,
loads new topology, and saves log if difference foundloads new topology, and saves log if difference found
• Routing log viewer (new in SP1)Routing log viewer (new in SP1)– Allows for administrator to view/compare routing logAllows for administrator to view/compare routing log
Routing Log ViewerRouting Log ViewerBackOff pathBackOff path
Routing Log Viewer Routing Log Viewer Comparing logsComparing logs
Edge Transport Edge Transport 角色角色
• Transport role that resides in perimeter Transport role that resides in perimeter networknetwork
• Not Active Directory joined – hosts local Not Active Directory joined – hosts local Active Directory Application Mode (ADAM) Active Directory Application Mode (ADAM) instanceinstance
• EdgeSync service replicates recipient EdgeSync service replicates recipient information and configuration via one-way information and configuration via one-way pushpush• Inbound and outbound SendConnectorsInbound and outbound SendConnectors• Accepted domainsAccepted domains• Credentials for secure mailflow between Edge and Hub Credentials for secure mailflow between Edge and Hub
rolesroles• Recipient data for anti-spam featuresRecipient data for anti-spam features
• Port 25 is only inbound port/connectionPort 25 is only inbound port/connection
EdgeSync EdgeSync 基本觀念基本觀念• Add Edge subscription to a single Active Add Edge subscription to a single Active
Directory SiteDirectory Site– Edge server object added to Active DirectoryEdge server object added to Active Directory– Send Connector with Edge as source transport Send Connector with Edge as source transport
serverserver
• Manage subset of Edge configuration in the Manage subset of Edge configuration in the Active Directory, then push out to EdgeActive Directory, then push out to Edge– Edge DOES NOT talk to Active DirectoryEdge DOES NOT talk to Active Directory– Configuration is stored in local ADAM directoryConfiguration is stored in local ADAM directory
• Sync scheduleSync schedule– Recipients every four hours (authoritative domains)Recipients every four hours (authoritative domains)– All other configuration every hourAll other configuration every hour– Manual sync: Start-EdgesynchronizationManual sync: Start-Edgesynchronization– Edge recipient cache may have “old” object for 4 Edge recipient cache may have “old” object for 4
hourshours
從 從 Internet Internet 接收 接收 MailMail• Receive connector accepts anonymous connection Receive connector accepts anonymous connection
– Permission enabled on Internet-facing receive connectorPermission enabled on Internet-facing receive connector
• Hygiene agents filter incoming Hygiene agents filter incoming connections/messagesconnections/messages– Registered on Registered on Simple Mail Transfer Protocol (SMTP)Simple Mail Transfer Protocol (SMTP) protocol protocol
eventsevents– Block doesn’t generate local Non-Delivery Report (NDR) Block doesn’t generate local Non-Delivery Report (NDR)
(remote system must generate)(remote system must generate)– Eliminates NDR to non-existent recipientEliminates NDR to non-existent recipient
• Routing matches accepted domain to “dash-dash” Routing matches accepted domain to “dash-dash” connectorconnector– Smarthosts to Hub servers in same site as Edge subscriptionSmarthosts to Hub servers in same site as Edge subscription– Transport Layer Security (TLS) with direct trust between Hub Transport Layer Security (TLS) with direct trust between Hub
and Edge rolesand Edge roles– Hub trusts organization headers added by EdgeHub trusts organization headers added by Edge
Receive Agents for Message Receive Agents for Message Hygiene (1)Hygiene (1)• Connection filtering agentConnection filtering agent
– Supports accept/deny lists with static/machine-generated Supports accept/deny lists with static/machine-generated entriesentries
– Supports multiple Real-time Block List (RBL) providers, Supports multiple Real-time Block List (RBL) providers, connection blocked if any matchconnection blocked if any match
– IP reputation services adds machine-generated entriesIP reputation services adds machine-generated entries
• Sender filtering agent Sender filtering agent – Filters based on P1 sender address (MAIL FROM:)Filters based on P1 sender address (MAIL FROM:)
Receive Agents for Message Receive Agents for Message Hygiene (2)Hygiene (2)• Recipient filtering agentRecipient filtering agent
– Must enable after EdgeSync recipient sync completeMust enable after EdgeSync recipient sync complete– Lookup in ADAM to ensure P1 recipient is validLookup in ADAM to ensure P1 recipient is valid– Return protocol error if recipient not foundReturn protocol error if recipient not found– Tar pit connections after multiple protocol errorsTar pit connections after multiple protocol errors
• Content filtering agentContent filtering agent– Inspects message body to identify spamInspects message body to identify spam– Bypassed for safe-sendersBypassed for safe-senders– Sender reputation level (SRL) impacted by spam confidence Sender reputation level (SRL) impacted by spam confidence
level (SCL) ratinglevel (SCL) rating– Recipient bypass based on P2 recipient addressRecipient bypass based on P2 recipient address
Content Filtering Content Filtering Configuration (1)Configuration (1)
• Server (*-ContentFilterConfig cmdlets)Server (*-ContentFilterConfig cmdlets)– SCLRejectThreshold, SCLRejectEnabledSCLRejectThreshold, SCLRejectEnabled– SCLDeleteThreshold, SCLDeleteEnabledSCLDeleteThreshold, SCLDeleteEnabled– SCLQuarantineThreshold, SCLQuarantineThreshold,
SCLQuarantineEnabledSCLQuarantineEnabled– QuarantineMailbox QuarantineMailbox – BypassedRecipients, BypassedSenders, BypassedRecipients, BypassedSenders,
BypassedSenderDomainsBypassedSenderDomains
• Organization (*-OrganizationConfig Organization (*-OrganizationConfig cmdlets)cmdlets)– SCLJunkThreshold (default 4)SCLJunkThreshold (default 4)
Content Filtering Content Filtering Configuration (2)Configuration (2)
• Mailbox (*-Mailbox cmdlets)Mailbox (*-Mailbox cmdlets)– SCLDeleteThreshold, SCLDeleteEnabledSCLDeleteThreshold, SCLDeleteEnabled– SCLRejectThreshold, SCLRejectEnabledSCLRejectThreshold, SCLRejectEnabled– SCLQuarantineThreshold, SCLQuarantineThreshold,
SCLQuarantineEnabledSCLQuarantineEnabled– SCLJunkThreshold, SCLJunkEnabledSCLJunkThreshold, SCLJunkEnabled– AntispamBypassEnabledAntispamBypassEnabled
透過 透過 Edge Edge 傳送到 傳送到 InternetInternet• Send connector with “*” address space with Edge Send connector with “*” address space with Edge
server(s) as source transport server(s)server(s) as source transport server(s)– ““Best” connector based on selection criteriaBest” connector based on selection criteria
• Routing selects “best” connector, determines Routing selects “best” connector, determines Active Directory site hosting source transport Active Directory site hosting source transport server(s)server(s)– Edge subscription makes Edge part of Active Directory siteEdge subscription makes Edge part of Active Directory site
• Inter-site delivery to Hub role in target Active Inter-site delivery to Hub role in target Active Directory siteDirectory site– TLS with Kerberos authentication between Hub rolesTLS with Kerberos authentication between Hub roles
• Intra-site delivery to Edge role within Active Intra-site delivery to Edge role within Active Directory siteDirectory site– TLS with direct trust between Hub and Edge rolesTLS with direct trust between Hub and Edge roles
• DNS connector delivery to remote domainDNS connector delivery to remote domain– Anonymous delivery to remote domain based on MXAnonymous delivery to remote domain based on MX
