Getting Started with Exchange Server 2007: Server Roles
Topic Last Modified: 2007-02-06
With the recently released Beta 2 of Microsoft® Exchange Server 2007 (formerly code-named “Exchange 12”), you will be able to install Exchange 2007 and experience the newly re-engineered technologies, features, and services that have been added into the Microsoft Exchange product line. I will explain the Exchange 2007 server roles and show you how Exchange 2007 has been re-designed to be the most comprehensive and flexible messaging solution that is available.
Exchange 2007 has been redesigned to add extensive new features and functionality, and to improve the administrative and management experience. To support this improved administrative and management experience, Exchange 2007 introduces five distinct server roles. Each role provides specific functionality and features. These server roles are as follows: Client Access, Edge Transport, Hub Transport, Mailbox, and Unified Messaging. The server roles, except for the Edge Transport server role, can all be installed on a single physical server or be distributed across multiple servers, depending on your company’s needs and requirements. By using this modular approach to installing, deploying, and administering Microsoft Exchange, you can now more effectively control the features that are included with Exchange 2007.
When a front-end and back-end Exchange topology was configured in earlier versions of Microsoft Exchange, the two servers performed very different functions. The front-end server acted as the gateway or proxy that would enable Internet mail clients like Microsoft Office Outlook® Web Access and RPC over HTTP access to a back-end server. The back-end server housed the mailbox and public folder databases. It serviced internal mail requests by using various clients, including Outlook and Outlook Web Access, directly over a LAN. The back-end server also serviced external requests from the front-end server for Internet mail clients.
Exchange 2007 provides five server roles that align with the way that messaging systems are typically deployed and distributed. A server role is a unit that logically groups the required features and components that are required to perform a specific function in the messaging environment. Each server role includes features that support its function together with related configuration and security settings and a list of predefined tasks for managing and configuring those features. By using the Exchange 2007 server roles, you can better control and secure your messaging environment. Exchange 2007 server roles are designed to install only the services that are needed for each role.
The following sections provide an overview of each Exchange 2007 server role and describe some of their features and functionality.
The Exchange Server 2007 Mailbox server role hosts both mailbox and public folder databases, and provides calendar access for users and messaging records management (MRM). The Mailbox server role is required if you plan to host user mailboxes, public folders, or both, on an Exchange 2007 server. However, if you want to implement all the features and functionality found in Exchange 2007, you will also have to install each of the other server roles.
|The Edge Transport server role cannot coexist on the same computer with any other server role.|
In Exchange 2007, the Mailbox server role integrates with the Active Directory® directory service better than the mailbox features and functionality in earlier versions of Exchange. This improved integration makes deployment and operational tasks much easier.
The Mailbox server role enhances and improves high availability and recovery for clustered Mailbox servers by including such features as: local continuous replication (LCR), cluster continuous replication (CCR), and single copy cluster (SCC). These high availability features provide enhanced recovery opportunities to meet your availability requirements. The Mailbox server role also greatly improves the Information Worker experience by providing more rich calendaring functionality, resource management, and more efficient offline address book downloads.
The Client Access server role supports Outlook 2007 and earlier versions, Outlook Web Access, and Exchange ActiveSync in addition to the Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4 rev1 (IMAP4) protocols. The Client Access server role also makes it possible to use Exchange 2007 features such as the offline address book, the Autodiscover service, and the Availability service. You must have the Client Access server role installed in every Exchange 2007 organization. The Client Access server role handles communications between clients and Microsoft Exchange. Although Outlook communicates directly with the Mailbox server, it uses the Client Access server role to connect to Exchange mailboxes when you are using Outlook Anywhere (formerly known as RPC over HTTP) and for services such as the Autodiscover service and the Availability service. The Client Access server role also enables users to use such Unified Messaging features as Play on Phone.
The following is a brief explanation of the functionality and features that are included with the Client Access server role:
- Outlook Web Access Outlook Web Access in Exchange 2007 lets you access your e-mail from a Web browser. It includes new features such as smart meeting booking, enhanced reminders and notifications, and integration with Microsoft Windows SharePoint® Services and Windows file shares.
There are two versions of Outlook Web Access in Exchange 2007: the full-featured Outlook Web Access Premium client and the Outlook Web Access Light client. Outlook Web Access Premium requires Internet Explorer 6 or a later version but adds many enhancements and more functionality to the user interface. Outlook Web Access Light provides fewer features and is sometimes faster. Users should use the Light client if they are on a slow connection or using a computer with unusually strict browser security settings. If they are using a browser other than Internet Explorer 6 or later versions, they can only use the Light client.
- Exchange ActiveSync Microsoft Exchange ActiveSync® lets you synchronize data between your mobile device and Exchange 2007. You can synchronize e-mail, contacts, calendar information, and tasks. Devices that run Microsoft Windows Mobile® software, including Windows Mobile powered Pocket PC 2003 and Windows Mobile 5.0, are supported. Exchange ActiveSync is also supported on third-party mobile devices. For more information, see the documentation for your device.
If you use a device that has Windows Mobile 5.0 and the Messaging and Security Feature Pack installed, your mobile device will support Direct Push. Direct Push is a technology that is built into Exchange ActiveSync that keeps a mobile device continuously synchronized with an Exchange mailbox.
- POP3 and IMAP4 Besides supporting Exchange ActiveSync and HTTP clients, Exchange 2007 supports POP3 and IMAP4 clients. By default, POP3 and IMAP4 services are installed but are not enabled when you install the Client Access server role.
- Autodiscover Microsoft Exchange Server 2007 includes a new Exchange service named the Autodiscover service. The Autodiscover service uses a user's e-mail address and password to provide profile settings to Outlook 2007 clients and supported mobile devices.
The Autodiscover service makes it easier to configure Outlook 2007. Earlier versions of Exchange and Outlook required you to configure all user profiles manually to access Exchange. Extra work was required to manage these profiles if changes occurred to the messaging environment or the Outlook clients would stop functioning correctly.
The Autodiscover service enables Outlook 2007 clients to automatically connect to Microsoft Exchange and Exchange features, such as the Availability service or Unified Messaging, without having to manually configure their Outlook profile.
- Outlook Anywhere The Outlook Anywhere feature for Microsoft Exchange Server 2007 lets Outlook 2007 and Outlook 2003 clients connect to their Microsoft Exchange servers over the Internet by using the RPC over HTTP Windows networking component.
This technology wraps remote procedure calls (RPCs) with an HTTP layer, which allows the traffic to traverse network firewalls without requiring RPC ports to be opened. Exchange 2007 greatly reduces the difficulty of deploying and managing this feature. To deploy Outlook Anywhere in your Exchange messaging environment, you have to enable at least one Client Access server by using the Enable Outlook Anywhere Wizard.
Exchange 2007 Edge Transport servers are deployed in your organization's perimeter network and handle all Internet-facing mail flow, provide protection against spam, and provide secure message paths between business partners.
Spammers, or malicious senders, use a variety of techniques to send spam into your organization. No single tool or process can eliminate all spam. Exchange 2007 builds on the foundation of Exchange Server 2003 to provide a layered, multipronged, and multifaceted approach to reducing spam and viruses. Exchange 2007 includes a variety of anti-spam and antivirus features that are designed to work cumulatively to reduce the spam that enters your organization. Exchange 2007 also includes improved infrastructure for antivirus applications. Servers that run Exchange 2007 Edge Transport services help prevent users in your organization from receiving spam by providing a collection of agents that work together to provide different layers of spam filtering and protection.
Edge Transport servers offer you the following features:
- Attachment Filtering Attachment filtering filters messages based on attachment file name, file name extension, or file MIME content type. You can configure attachment filtering to block a message and its attachment, to strip the attachment and allow the message to pass through, or to silently delete the message and its attachment.
- Connection Filtering Connection filtering inspects the IP address of the remote server that is trying to send messages to determine what action, if any, to take on an inbound message. The remote IP address is available to the Connection Filter agent as a byproduct of the underlying TCP/IP connection that is required for the Simple Mail Transfer Protocol (SMTP) session. Connection filtering uses a variety of IP Block lists, IP Allow lists, in addition to IP Block Providers services or IP Allow Provider services to determine whether the connection from the specific IP should be blocked or should be allowed in the organization.
- Content Filtering Content filtering uses Microsoft SmartScreen® technology to assess the contents of a message. Intelligent Message Filter is the underlying technology of Exchange content filtering. Intelligent Message Filter is based on patented machine-learning technology from Microsoft Research. During its development, Intelligent Message Filter learned distinguishing characteristics of legitimate e-mail messages and spam. Regular updates with Microsoft Anti-spam Update Service ensure that the most up-to-date information is always included when the Intelligent Message Filter runs. Based on the characteristics of millions of messages, Intelligent Message Filter recognizes indicators of both legitimate messages and spam messages. Intelligent Message Filter can accurately assess the probability that an inbound e-mail message is either a legitimate message or spam.
Spam quarantine is a feature of the Content Filter agent that reduces the risk of losing legitimate messages that are incorrectly classified as spam. Spam quarantine provides a temporary storage location for messages that are identified as spam and that should not be delivered to a user mailbox inside the organization.
Content filtering also acts on the safelist aggregation feature. Safelist aggregation collects data from the anti-spam safe lists that Outlook and Outlook Web Access users configure and makes this data available to the Content Filter agent on the computer that has the Edge Transport server role installed in Exchange 2007.
When an Exchange administrator enables and correctly configures safelist aggregation, the Content Filter agent passes safe e-mail messages to the enterprise mailbox without additional processing. E-mail messages that Outlook users receive from contacts or that those users have added to their Outlook Safe Senders List or have trusted are identified by the Content Filter agent as safe. The result is that messages that are identified as safe are not classified as spam and unintentionally filtered out of the messaging system.
- Recipient Filtering Recipient filtering compares the message recipients on the RCPT TO: SMTP command to an administrator-defined Recipient Block list. If a match is found, the message is not permitted to enter the organization. The recipient filter also compares recipients on inbound messages to the local recipient directory to determine whether the message is addressed to valid recipients. When a message is not addressed to valid recipients, the message can be rejected at the organization's network perimeter.
- Sender Filtering Sender filtering compares the sender on the MAIL FROM: SMTP command to an administrator-defined list of senders or sender domains that are prohibited from sending messages to the organization to determine what action, if any, to take on an inbound message.
- Sender ID Sender ID relies on the IP address of the sending server and the Purported Responsible Address (PRA) of the sender to determine whether the sender is spoofed or not. PRA is calculated based on the following message headers:
- Sender Reputation Sender reputation relies on persisted data about the IP address of the sending server to determine what action, if any, to take on an inbound message. The Protocol Analysis agent is the underlying agent that implements the sender reputation functionality. A sender reputation level (SRL) is calculated from several sender characteristics that are derived from message analysis and external tests.
Senders whose SRL exceeds a configurable threshold will be temporarily blocked. All their future connections are rejected for up to 48 hours. In addition to the locally calculated IP reputation, Exchange 2007 also takes advantage of IP Reputation anti-spam updates, available via Microsoft Update, which provide sender reputation information about IP addresses that are known to send spam.
- Domain Security Domain Security refers to the set of functionality in Exchange 2007 and Outlook 2007 that provides a relatively low-cost alternative to S/MIME or other message-level security solutions. The purpose of the Domain Security feature set is to provide administrators a way to manage secured message paths over the Internet with business partners. After these secured message paths are configured, messages that have successfully traveled over the secured path from an authenticated sender are displayed to users as "Domain Secured" in the Outlook and Outlook Web Access interface.
- Address Rewriting Address rewriting, which is provided by the Address Rewriting agent on Edge Transport servers, lets you modify the addresses of senders and recipients on messages that enter and leave an Exchange 2007 organization. You can use address rewriting to present a consistent appearance to external recipients of messages from your Exchange 2007 organization. Address rewriting can be valuable to organizations that use third-party vendors to provide e-mail support and services. Customers and partners expect e-mail messages to come from the organization, not a third-party vendor. Similarly, after a merger or acquisition, an organization might want all e-mail messages to appear to come from the single new organization. The address rewriting feature frees organizations to structure their businesses by business requirements instead of by technical requirements or limitations
- Edge Transport Rules Transport rules that run on Edge Transport servers give you another tool to help you reduce the viruses that affect your organization. Because viruses can be released before anti-virus vendors have the chance to update their software, there can be a window in which viruses can enter your organization undetected. By using transport rules on Edge Transport servers, you can create transport rules that identify virus infected messages and remove or quarantine them.
You can also use Edge transport rules to reduce the effect of denial of service (DoS) attacks on your organization by blocking or refusing delivery of these attacks at your network perimeter. This reduces the effect on network resources and also the cost of dealing with these attacks.
Finally, Edge Transport rules can also protect your partners and customers by preventing unwanted or harmful messages from leaving your organization. Because internal client computers can sometimes because infected by a virus and send virus infected messages, Exchange enables you to apply the same transport rules to outbound messages to help prevent them from being delivered to your partners and customers.
Microsoft Exchange Server 2007 Hub Transport server role is deployed inside your organization's Active Directory. It handles all internal mail flow, applies organizational message routing policies, and is responsible for delivering messages to a recipient's mailbox. Here is a brief explanation of the functionality and features included with the Hub Transport server role:
- Mail Flow The Hub Transport server processes all mail that is sent inside the Exchange Server 2007 organization before it is delivered to an internal recipient's Inbox or routed to destinations outside the Exchange organization. There are no exceptions to this behavior; mail is always passed through a Hub Transport server, because the Hub Transport server contains the message queues and the associated Send connectors and Receive connectors that are used to transport mail. This is true even if recipients and senders are located on the same mailbox server.
- Message Categorization The categorizer performs recipient resolution, routing resolution, and content conversion for all messages that move through a Hub Transport server.
- Local Message Delivery Only messages that are sent to a recipient with a mailbox in the same Active Directory site as the Hub Transport server on which categorization occurred are delivered locally. All messages delivered locally are picked up from a delivery queue by the Store driver and put in the recipient’s Inbox on a Mailbox server.
- Remote Message Delivery Remote message delivery occurs for messages that are sent to recipients in Active Directory sites that differ from the Hub Transport server on which categorization occurred, or for recipients that exist outside the Exchange organization. All messages that are sent to a different Active Directory site, to a mailbox that resides on a computer that is running an earlier version of Exchange, or to a mailbox that resides in a different Active Directory forest must be routed through a Send connector to a Hub Transport server that can deliver the message to the intended recipient. All messages that require delivery through the Internet must be routed through a Send connector to an Edge Transport server that can send messages to the Internet for delivery outside the organization, or to a Hub Transport server that is directly connected to the Internet.
- Message Submission Message submission is the process of putting messages into the Submission queue on a Hub Transport server. The categorizer then picks up one message at a time for categorization. There are four types of message submission:
SMTP submission through a Receive connector.
Submission through the Pickup directory or the Replay directory. Correctly formatted message files that are copied into the Pickup directory or the Replay directory are put directly into the Submission queue.
Submission by the Store driver, which picks up messages from a sender’s Outbox as they are sent.
Submission by an agent.
- SMTP submission through a Receive connector.
- Antivirus and Anti-spam Hub Transport services can be configured to provide additional layers of antivirus and anti-spam protection within the organization. This configuration is only recommended for small organizations that are not running Edge Transport server in the perimeter network. This configuration is achieved by using tasks that are contained within the Exchange Management Shell.
- Transport Rules Hub Transport servers let you apply transport rules to all messages that are sent and received in your organization. These transport rules, which are applied by the Transport Rules agent on Hub Transport servers, enable you to control or modify the delivery and content of messages based on conditions and exceptions that you configure. You can easily apply disclaimers, ethical walls, rights management, and more, to messages as they flow through your organization. Transport rules created on Hub Transport servers are automatically replicated using Active Directory to all Hub Transport servers in the organization. This enables you to apply the same messaging policies to your entire organization with ease.
- Journaling Exchange 2007 has greatly improved the journaling of messages that in and through your organization. You can now target journaling rules to specific senders or recipients, distribution lists and even messages sent to or from recipients and senders outside of the organization. You can specify whether journal reports are sent to an Exchange 2007 mailbox, or to Microsoft Exchange Hosted Services, or to a third-party archival solution. Journaling is done on Hub Transport servers by the Journaling agent, and all Hub Transport servers contain the same journaling configuration thanks to Active Directory replication. Because all messages that travel in and through your organization pass through a Hub Transport server, all messages encounter the Journaling agent. This provides you with a seamless journaling solution that can be applied throughout your organization.
Unified Messaging (UM) is new to the Microsoft Exchange product line. The Unified Messaging server role enables voice mail, e-mail, and fax messages to be stored in a user's mailbox. Users can then access their Exchange 2007 mailbox from a telephone or from a computer.
The Unified Messaging server role lets users access voice mail, e-mail, fax messages, and calendar information from an e-mail client such as Outlook or Outlook Web Access, from a mobile device that has Exchange ActiveSync enabled, such as a Windows Mobile® powered Smartphone or a personal digital assistant (PDA), or from a telephone.
Currently, many users and IT departments manage their voice mail and fax messages separately from their e-mail. Voice mail and e-mail messages are hosted on separate servers that are accessed through the desktop for e-mail and through the telephone for voice mail. Fax messages are not received into a user's inbox, but are instead received by stand-alone fax machines or a centralized fax server. Unified Messaging offers an integrated store for all messages and also enables users to access to their messages through the computer and the telephone.
Exchange 2007 Unified Messaging provides a single point of message administration for Exchange administrators in an organization. The functionality and features included with the Unified Messaging server role enable administrators to do the following:
Manage the voice mail, e-mail, and fax systems from a single administrative platform.
Manage Unified Messaging by using scriptable commands.
Build highly available and reliable Unified Messaging infrastructures.
Unified Messaging in Exchange 2007 gives users features such as:
- Auto Attendant An auto attendant is a set of voice prompts and system menus that gives users access to the Exchange 2007 Unified Messaging system. An auto attendant lets a caller use either the telephone keypad or speech inputs to navigate the menu, place a call to a user, or locate a user and then place a call to that user.
- Call Answering The Call Answering feature includes functionality to answer an incoming call on behalf of a user, play their personal greeting, record a message, and submit a message from another caller that will be delivered to their mailbox as an e-mail message.
- Fax Receiving The fax receiving feature lets users receive fax messages in their mailbox.
- Outlook Voice Access The Outlook Voice Access feature enables dial-in access from a telephone for UM-enabled users in an organization. Subscribers or those users who are UM-enabled can dial in to an Exchange 2007 Unified Messaging system and access their mailbox by using Outlook Voice Access. Outlook Voice Access users can access the Unified Messaging system and their mailbox by using either touchtone or voice inputs.
It is very exciting to see the scope of the new features that are introduced by these new server roles in Exchange 2007. I hope you have enjoyed this overview of Exchange 2007 server roles and look forward to hearing from you. Ideas and comments are welcome and can be sent to firstname.lastname@example.org.
For the most up-to-date information and to find additional Exchange 2007 documentation, visit the Exchange Server TechCenter.
For more information about Exchange 2007, including frequently asked questions, see the Frequently Asked Questions about Exchange Server 2007.