Reference Architecture Design

  • Article
Cc526347.chm_head_left(en-us,TechNet.10).gif Cc526347.chm_head_middle(en-us,TechNet.10).gif Cc526347.chm_head_right(en-us,TechNet.10).gif

Reference Architecture Design

Previous versions of the reference architecture for Microsoft Solution for Hosted Messaging and Collaboration specified a flat, single tiered deployment, consistent with and optimized for the messaging component based on Microsoft Exchange Server 2003.

With the upgrade to Microsoft Exchange Server 2007 in Microsoft Solution for Hosted Messaging and Collaboration version 4.0 , the reference architecture has transitioned from the flat network design to a three-tiered, four-zone approach. This approach to networking has been used by telecommuncation companies for data services to reduce the attack surface and secure data access.

Cc526347.CMSU_Graphics_SO_Config_Full(en-us,TechNet.10).gif

Figure: Network reference architecture

The Hosted Messaging and Collaboration version 4.0 zones are as follows:

  • Zone 0 - "Boundary"
    • The area of the network that is closest to the Internet. Generally, this security zone contains the boundary routers, intrusion detection, first layer of denial of service (DoS) blocking, and boundary firewalls.
    • Secure Sockets Layer (SSL) and initial access/certificate validation may be located at this layer. Network Operation Center (NOC) services may be logically housed in this zone.
    • For Hosted Messaging and Collaboration , no solution servers in this zone.
  • Zone 1 - "Edge"
    • This zone contains those servers and services that provide first level authentication, application proxy services (that is, ISA 2006), and load balancing across Zone 1 servers and services.
    • No domain membership with the Zone 3 Active Directory directory service and no direct connection to servers in Zone 3 for security purposes. This reduces the attack surface.
    • A "Secure by Default" approach. Locked down servers in this zone.
    • Communication via secure protocols between servers in Zone 1 and Zone 2.
  • Zone 2 - "Proxy"
    • Servers in this zone have domain membership with Active Directory in Zone 3.
    • Relays or "proxies" authentication requests between Zone 1 and Zone 3.
    • Two tier services and/or applications make use of ISA in Zone 1 to publish secure application access in lieu of a dedicated Zone 1 or edge server.
  • Zone 3 - "Datacenter"
    • Most secure area of the network.
    • Data repository servers reside in this zone.
    • No direct access to these servers. Access is via proxies in Zone 2 or published services via ISA in Zone 1.