Exchange Server 2010 SP1 Beta Hosting Deployment… Part #7 – Transport Segregation


Back in 2008, I wrote a couple of blogs about the things we do to multi-tenant Exchange Server 2007 in HMC. In those blog posts, I walked through from a high level the components in Exchange that HMC changes to make the product multi-tenant. You can read them here, http://blogs.technet.com/b/provtest/archive/tags/hosted+exchange+server+2007/

Now, in those posts, I talked about address list segregation, Active Directory segregation through Access Control List, Internal and External OOF segregation in the transport layer, Austodiscover and etc. for Exchange Server 2007. Subsequently, I also talked about resource management subsequently for various services subsequently here, http://blogs.technet.com/b/provtest/archive/tags/resource+management/, which one of them is the Exchange Resource Management.

So, here, I am taking similar approach, reviewing component by component so that we all have a better idea how things work differently compared to an enterprise environment and also compared to Exchange Server 2007 in Hosted configurations. I have already spent much time talking about some unique differences in Exchange Server 2010 SP1 beta so far, how we install it, how we create tenant organization, how we can manage it through ECP, Powershell and etc. I started with those posts because I think it is important for everyone to get a feel of Exchange Server 2010 SP1 beta first. Now that we have done that, it is time to walk through from a high level the components that make Exchange Server 2010 SP1 a true hosted messaging platform.

I want to start with Transport and then I will move towards other areas. As most of you know by now, in Exchange Server 2010 SP1, like HMC, each tenant organization will have their own OU/container in the Domain Naming context where the system put all the users, mailboxes, contacts and groups in that tenant organization in. The concept is not very different compared to HMC. Of course, from the segregation standpoint, there is a huge difference because of RBAC instead of Active Directory ACL. That is one topic that I will go further in the next few posts and it is also where I will discuss a little bit more about Reseller model. Now, this is all good. What Exchange Server 2010 SP1 went further than HMC is that, each tenant organization also has their very own configuration container. This is a huge.

Think of it this way, in Exchange Server 2007, it is like a big apartment having many tenants. However, there is still tons of shared infrastructure in place. Exchange Server 2010 SP1 is really more like townhomes where you are kind of attached to each other but at the same time, you have your own garage, your own backyard and etc. It is probably not the best example, but hopefully you get the point.

Now, because the segregation goes much further than the previous version (HMC), you will notice the behaviour of some of the components also changes. Let us step through it now,

Intra-Tenant Organization Mail Delivery

This is mail delivery within the tenant organization. For example, a User1@alpineskihouse.com sends to User2@alpineskihouse.com

This is straightforward. Like Exchange Server 2007, the mail will be routed to Hub Transport Server and then route back to the mailbox server for mail delivery like the following,

Internet Mail Delivery (Send and Receive outside of the Exchange Organization) 

This is mail delivery to and from Internet. This again, is quite straightforward. Remember in the Help File, it said it won't support Edge Transport? That's the reason in the following diagram; I am using Hub Transport servers instead. Of course, you can also put in an Anti-spam or Anti-virus server in between but for simplicity reason over here, let's not get into that.

Out of the box, Exchange Server 2010 SP1 does not send Internet nor receive Internet email. You need to first create a send as well as a receive connector to allow that. Here are some examples, to create an Internet send connector (I put this in because I know some of us get very used to the Wizard in EMC and since in Hosting Deployment, you can't use EMC),

New-SendConnector -Internet -Name InternetSendConnector -AddressSpaces *

The default receive connector in HT is configured for other Exchange servers to authenticate, but it does not accept anonymous email by default. Hence, out of the box, it won't receive mail from internet. Run the following on your incoming HT server to create a receive connector (make sure you change the binding),

New-ReceiveConnector -Internet -Name InternetReceiveConnector -Bindings "192.168.1.100:25"

If you follow the Hosting Deployment, you notice that, you can also run ./install-AntispamAgents.ps1 to enable the Antispam Agents. After you run the script, you must restart the Microsoft Exchange Transport service to finish the installation of the following anti-spam features:

  • Connection filtering
  • Content filtering
  • Sender ID
  • Sender filtering
  • Recipient filtering
  • Sender reputation

Inter-Tenant Organization Mail Delivery 

This is mail delivery between the tenant organization in your environment. For example, in your hosted environment, you host both AlpineskiHouse and Tailspin and it happens that a user in AlpineSkihouse wants to send to a user in Tailspin, say Johnc@alpineskihouse wants to send to Sally@tailspin.com.

In Exchange Server 2007, both organizations are somehow considered 'internal'. As a result, when Johnc@alpineskihouse sends a mail to Sally@tailspin.com, and if Sally@tailspin.com has an Out of Office enabled, Johnc@alpineskihouse.com may actually get an Internal OOF instead of External OOF. In HMC, or rather in Exchange Server 2007, the product cannot differentiate that. So, in order to work around it, we created a Transport Agent which I talked about herehttp://blogs.technet.com/b/provtest/archive/2008/12/26/hmc-4-5-and-exchange-2007-sp1-part-3-internal-and-external-out-of-office.aspx. That's HMC world.

Fast forward back to this, remember every single tenant organization has it's own set of configurations? Here is where things get interesting. When you send a mail from one tenant organization to another, Exchange Server 2010 SP1 will treat that mail as an Internet mail or external mail. If you enable pipeline tracing, you will see that the message has a context for the specific tenant organization, meaning when the Hub Transport took the mail, it will only look at the accepted domains within that organization. For example, when Johnc@alpineskihouse.com sends a mail to Sally@tailspin.com, the transport looks at the accepted domains only within Alpineskihouse and tailspin.com is not in it, that means, this mail is meant to be delivered out instead of Exchange organization internal delivery.

So, what does that mean? It means, the Hub Transport server will attempt to deliver the mail by DNS instead of trying to resolve that via Active Directory. It will be like the following,

Now, I am quite sure you can see the problem now. The mail needs to be delivered back to the Hub Transport server, potentially itself. If it doesn't go back to itself based on DNS resolution, then it is probably okay. However, if it tries to deliver back to itself, then you have a message looping issue and hence the delivery will fail. Some of you who setup the lab environment with minimum number of servers, like having just one HT, you will encounter the problem of inter-tenant organization mail delivery in this Exchange Server 2010 SP1 beta. Will this behaviour change in RTM? I do not know but unlikely in my opinion. I will explain more.

In a nutshell, I do agree with the concept behind this because it makes things simple and it removes the necessity of having a transport agent to deal with any Out of Office or a potential of Anti-spam or Anti-virus being bypassed like in Exchange Server 2007. So, think of it like in Exchange Server 2007, it is like an apartment. If you want to deliver something to someone within that apartment, you really don't need to get out of the apartment, you just walk to the door and deliver it. Unlike in a town homes, where you have to walk out of the house and then deliver it.

What do you need then? If you have a single server setup (mailbox, CAS, HT), you probably are experiencing this issue right now. To work around that, setup a simple SMTP service and have the mail deliver it out and then deliver it back in like the following,

Of course, in reality, no hoster in the world is going to have a single box (and I truly hope you guys aren't thinking about it). Now, I am not sure if Microsoft is going to provide any official guidance on how you should design your HT infrastructure and there are tons of ways to do it. Here is one way that I will share with you,

 

What I did above is that, I have dedicated HT servers for incoming on a separate AD site. This way, we know that HT servers in Site B will never pick up any mail to be sent out to the Internet from Mailbox server and it will only be processing incoming mail. Of course, you can also do it by setting specific configurations to instruct the mailbox server to only use the listed HT server for submission. Like I said, there are a few ways you can go to do this.

 

Read More...

http://blogs.technet.com/b/provtest/archive/tags/exchange+2010+sp1+hosting/

Comments (27)
  1. Anonymous says:

    Hi Daniella,

    The first thing I will look at is probably to see if your Internet connector in HT01 is a scoped connector. If it is, then you may want to turn that off so that the rest of the HT boxes in the Exchange organization can see it. Try sending an Internet email to HT02 and see if it gets routed. If you still have problem, dump the Connector information to me in my contact page, blogs.technet.com/…/contact.aspx

    I will respond to you in email accordingly.

    Thanks.

    Regards,

    Kip

  2. Anonymous says:

    Well, yes, if you throw a firewall into the mix, it depends on the firewall how that translation will do, right?

    Basically, what you want is this, Peter… 2 HT, one is dedicated for outgoing an done is dedicated for incoming. Which means, the outgoing needs to be able to resolve the public IP address of the DNS in your own domain which that IP is at your firewall. That will depends if your firewall is smart enough to route that back in. If not, you need to find a way for your outgoing HT box to resolve the domain to send it back to the incoming HT (either having a Internal DNS to resolve that or have a smarthost there. Make sense?

  3. Anonymous says:

    Hi Mat,

    Should I use Edge Transport Server? No because it isn't supported. If you check the Hosting Deployment help file, you will find that Edge Transport server role is one of the feature that is considered not supported. Meaning, you can't deploy Edge Transport Server role and subscribe the server to your environment.

    However, it shouldn't stop you from deploying some 'edge' SMTP servers to perform send and receive between Internet and the HT should you choose not to expose HT directly to the Internet (that may include deploying an Edge Transport Server, as long as it is not subscribing to your environment).  The choice is entirely yours. Of course, if you have a server that is facing the internet before HT, it means you need a mechanism to ensure that the server is aware of what domain has been provisioned and may need to sync the address if recipient policy is needed to be enforced.

    Also, please bear in mind, what I blogged above isn't an official guidance from Microsoft. You will probably want to wait till the official guidance come along on what you need to do on the transport end.

    As for CAS protection, I would say it depends. It depends on the level of protection you desire and also depends on the number of concurrent connections and scale too. I have seen hosters use ISA and I have also seen hosters use other firewall solutions. Which is better, which is not, I am afraid this isn't one of my main specialties that I can give tons of professional comments on. Sorry.

    Kip

  4. Anonymous says:

    Hello Kip,

    Can you tell me what’s the problem with SMTP Auth and pop3/imap4 clients?

    I am considering the following deployment:

    1. Outgoing mail flow – Have a dedicated Windows Server 2008 R2 server with SMTP Server feature installed acting as smart host gateway. The server is in DMZ. There is a Send Connector (configured on HT) using Basis Authentication over TLS. Preferably the smart host server is standalone (not in Exchange domain).

    2. Incoming mail flow – Use specialized router and firewall appliance which makes port forwarding of port 25 to HT server.

    3. Anti-spam – Have Forefront Protection for Exchange 2010 installed on the HT server.

    Is this a reasonable configuration? I’m looking forward your feedback.

    Thank you for your time,

    Daniella

  5. Anonymous says:

    Hi Jonathan,

    The above is only applicable to deployment with /hosting switch. In the non-hosting deployment (enterprise / on-premise), there is no segregation of configurations, hence the above will not be available.

    Now, if you are using the old AL Segregation method like in Exchange 2007, the above is also not applicable. Also, you should take note of the support stance from MS on that, check here,

    blogs.msdn.com/…/critical-update-exchange-2010-address-list-segregation-and-current-support-stances.aspx

    Thanks.

    Regards,

    Kip

  6. Anonymous says:

    I am just glad I am able to help.

  7. Anonymous says:

    Great to know, Mark. Thanks for the feedback.

  8. Anonymous says:

    Hi Daniella,

    The first thing I will look at is probably to see if your Internet connector in HT01 is a scoped connector. If it is, then you may want to turn that off so that the rest of the HT boxes in the Exchange organization can see it. Try sending an Internet email to HT02 and see if it gets routed. If you still have problem, dump the Connector information to me in my contact page, blogs.technet.com/…/contact.aspx

    I will respond to you in email accordingly.

    Thanks.

    Regards,

    Kip

  9. Anonymous says:

    Hi Peter,

    Well, as I said, that's only one way of doing it. You can also do by having 2 HT on the same site but dedicated one of them for outgoing and the other as incoming.

    So, bascially, when you create a send connector, just make sure you use only one of the server and then receive connector enabled for anonymous only for the other one and have the DNS point to that server.

  10. Anonymous says:

    Hi Regi,

    Sure. Assuming your box has an IP of 192.168.1.100 and your Windows 2008 R2 running SMTP is 192.168.1.200. Here are a few steps.

    1. Create Send Connector on your Exchange box. This should smart host everything out to the Windows 2008 R2 SMTP box.

    New-SendConnector -Internet -Name InternetSendConnector -AddressSpaces * -DnsRoutingEnabled $false -SmartHosts 192.168.1.200

    2. Then Create a receive connector just like my article above.

    New-ReceiveConnector -Internet -Name InternetReceiveConnector -Bindings "192.168.1.100:25"

    3. Install Windows 2008 R2 box, assign IP 192.168.1.200 and turn on the SMTP service feature. Also install DNS server in it, as an external DNS

    4. Then from IIS 6.0 Manager, you can configure the SMTP Virtual Server. Configure the service to allow relay for 192.168.1.100.

    5. Make sure the external DNS has those MX record for all the domains hosted in your Exchange and that they point to 192.168.1.100.

    That should do it.

  11. Anonymous says:

    Hi Kip,

    I couldn’t understand the advantages of having 2 HT server s one dedicated outgoing and another dedicated incoming respectively.  Is this a better approach than the deployment with the standalone smart host? Why?

    And one more thing. What do you mean here: “that box needs to get to the public IP of your incoming HT because it will be resolving the DNS to the public IP of the server”?

    Thank you again.

    Cheers,

    Daniella

  12. Anonymous says:

    Hi Daniella,

    0. There is nothing wrong with SMTP Auth. Just a consideration in the event you only expose an internet gateway.

    1.That's fine. But bear in mind, if it is only one box, it will be a single point of failure. Also, that box needs to get to the public IP of your incoming HT because it will be resolving the DNS to the public IP of the server.

    2. That's fine.

    3. That's fine too.

  13. Anonymous says:

    Hi Daniella,

    I am glad you guys find this blog useful.

    I should probably note that what I blogged above is a very simplistic model and in production, most likely you will implement it quite differently. My aim was so that it helps everyone to understand the changes that a hosting model brought in in this transport side of the story.

    As I said, there are many ways to design this and there are many factors to look at too, probably too many. I am going to list down a few for you to look at as a starter,

    1. SMTP Auth – depending on the presence pop3/imap4 clients, if you need that.

    2. Internet facing HT – This is a question more of are you comfortable putting a domain joined box to be an internet front facing HT.

    3. Licensing/Cost – if you deploy a non-Microsoft mail gateway in between, it will cost more money.

    4. Integration – you may need to think about integration work between the non-Microsoft mail gateway and Exchange Server 2010 SP1 hosting deployment just so that those boxes will accept the email with the right domain or right recipients.

    5. Load – design your server to cater for the load that you guys will need.

    I think I will look at the above 5 points as a start. What's my recommendation? It is hard to say, because there are many ways to do this. However, if I have to do it, I will probably have a mixture of what I described in my blog,

    1. Have dedicated incoming and outgoing HT

    2. Outgoing HT takes SMTP auth  (but using a different port, not port 25) if you do not have a dedicated box to do that. Outgoing HT will go out directly.

    3. Have AV installed on both incoming and outgoing HT

    4. Have a gateway that deals with incoming mail and then forward that to the incoming HT. The gateway sits in DMZ.

    5. Do some minor integration work to ensure that any new organization or domain provisioned will also be slot into the mail gateway automatically.

    There..

  14. Anonymous says:

    Yes, that's definitely an option but most people will be quite reluctant to do that because HT is after a domain joined server.

  15. Jonathan says:

    Hi Kip,

    is the Inter-Tenant Organization Mail Delivery process  are only available in the SP1 /hosting or SP1 will do it, even if the /hosting is not installed?

    thx

  16. Mark says:

    Thanks for this entry. This was the last step we needed. We now have a beta 2010 hosting environment up and running. Everything seems to be working great. Of course we have a lot more testing to do.

  17. Regi says:

    Hi Kip,

    As you said above I have a lab setup with single server (MB, CA, HT) and everything up and running perfectly, But I am facing a problem exactly you mentioned for inter tenant mail delivery. Can you explain little more regarding the solution with another server win2k8 R2 running SMTP service and how to configure it?

    Looking for more writings from you

    Thanks in advance

  18. Regi says:

    Hi Kip,

    Thank you very much for the explanation. Now inter tenant mail delivery is happening perfectly.

    regards

  19. mat33 says:

    Hi Kip,

    i got some question regarding the design of a hosted Exchange 2010 environment:

    – Should i use additional Edge Transport Servers or is it okay to just use your 2 different HubTransportServers (Incoming / Outgoing) what's the befefit from using additional Transport Servers?

    – How should i protect the external access to the CAS? (TMG / ISA / UMG)

    thanks.

    Mat33.

  20. mat33 says:

    Hi Kip,

    thanks for the reply.

    Mat33

  21. Peter says:

    Hi Kip,

    thank you for your great blog.

    Could you explain how you would configure your connectors in the SiteA and SiteB scenario?

    Is there a official MS guide, how to configure this?

  22. Peter says:

    Hi Kip,

    Maybe it's just me, but i cannot see how this would work, im probably just a bit slow… ;O)

    if Domain A and Domain B are both located on the Exchange platform, and Domain A try to send a mail to Domain B, the mail is still being delivered out on the internet, but if only have 1 firewall, the message is supposed to loop back in through the same firewall, but this is not allowed, or do the send connector know that this message should be delivered to the HT with the receive connector on?

  23. Peter says:

    Hi Kip,

    Yes this makes sense :O), or the third possibility, is to make the incoming HT internet facing?

  24. Peter says:

    Hi Kip, yeah it's a bit dangerous and you have to have your priorities straight.

    I solved it by creating a DNS zone for every customer on the server, and pointing the MX to the incoming HT.

    Thanks for your help and time :O)

  25. daniella says:

    Hi Kip,

    Thank you for your blog. It’s very helpful.

    You offered 2 implementations of transport segregation – two HT, one as dedicated incoming and the other as dedicated outgoing or another mail relay server.

    Please help us choose the best implementation for a production environment. What are the advantages/disadvantages of each implementation? What should we keep in mind?

    Thank you,

    Daniella

  26. digitaldrop says:

    nice ……  u guys rock

  27. Dedicated Send and Receive HT Servers and NDR says:

    Hello Kip,

    We have deployed Exchange 2010 SP1 for hosting. In order to support inter-tenant mail flow we have dedicated outgoing and dedicated incoming Hub Transport Servers. Same configuration as the last diagram of yours.

    So there is a dedicated outgoing HT Server in Site A (HT01) and another dedicated incoming HT Server in Site B (HT02). The mailbox server (MBX01) is in Site A, too. All outbound e-mails are sent by HT01. All inbound e-mails are received by HT02, delivered to HT01 and then to MBX01.

    The problem is that the NDR delivery fails. If an undeliverable e-mail is received by HT02 the server tries to send a NRD through HT01 (Intra-Organization SMTP Send Connector) and the delivery fails with 550 5.7.1 Request action not taken: message refused.

    Please let me know how to configure the SMTP delivery from HT02? It should happen through HT01. Maybe there is some connector missing?! Please help.

    Here are the receive connectors configured so far:

    Identityn                 Bindings

    HT02Default Internet {0.0.0.0:25}

    HT01Client HT01 {:::587, 0.0.0.0:587}

    HT01Default HT01 {0.0.0.0:25}

    Here is the only send connector:

    Identity AddressSpaces

    Default Internet HT01 {smtp:*;1}

    Regards and thank you in advance,

    Daniella Slavcheva

Comments are closed.

Skip to main content