Network Architecture Scenarios
6/2/2010
This section provides network topology information for your Exchange Server 2007 and Windows Mobile 6 deployment. The following scenarios are illustrated:
- ISA Server 2006 as an advanced firewall (behind a third-party firewall)
- Use of a third-party firewall
- Coexistence of Exchange Server 2003 and Exchange Server 2007
Deployment Options
The following scenarios represent a few of the many ways to implement a mobile messaging solution using Exchange Server 2007, ISA Server 2006, third-party firewalls, and Windows Mobile 6 devices. The scenarios are not presented in a preferred order.
Important
These options illustrate possible deployment strategies for your network. The final topology should take into account the specifics of your network, including available hardware and software, security considerations, projected usage, and the ability to provide optimal performance. Microsoft recommends that you thoroughly research all security considerations for your network prior to implementation. For ISA server reference material, see Step 4: Install and Configure ISA Server 2006 or Other Firewall. For third-party firewalls, consult the manufacturer's documentation for related security issues.
Option 1: ISA Server 2006 as an Advanced Firewall in a Perimeter Network
The first option is implementing ISA Server 2006 as your security gateway. ISA Server 2006 and Exchange Server 2007 enhance security features by providing protocol inspection in addition to SSL bridging and user authentication.
Note
The ISA server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic. It directly communicates with LDAP servers and the internal Exchange server(s). For increased security, the ISA server intercepts all SSL client requests and proxies them to the back-end Exchange server(s).
In this configuration, Exchange servers are within the corporate network and the ISA server acts as the advanced firewall in the perimeter network. This adds an additional layer of security to your network.
All incoming Internet traffic over port 443 is intercepted by the ISA 2006 Server. The ISA server terminates the SSL connection, authenticates the user, and inspects the request. If it is well formed, it will send the request on to the Exchange Client Access server for processing.
For more information on Exchange client access, see Configuring ISA Server 2006 for Exchange 2007 Client Access.
The following table lists considerations for deploying ISA Server 2006 as an advanced firewall in a perimeter network, domain joined, and other potential ISA topologies.
Setup Type | Description | Consideration |
---|---|---|
Firewall in Workgroup in perimeter network |
Password changes are not possible. |
For further information on ISA authentication, see: https://go.microsoft.com/fwlink/?LinkID=87068. |
ISA Server 2006 domain-joined in perimeter network |
|
|
ISA Server 2006 domain-joined in enterprise forest |
|
|
Option 2: Third-Party Firewall
The second option is to deploy your mobile messaging solution with a third-party firewall. The following conditions should be met to help create an efficient and more secure architecture:
- Use SSL to encrypt all traffic between the mobile device and Exchange Server 2007.
- Open port 443 inbound on each firewall between the mobile device and Exchange Server.
- Set Idle Session Timeout to 30 minutes on all firewalls and network appliances on the path between the mobile device and Exchange server to optimize bandwidth for Direct Push technology.
Note
Consult firewall manufacturer documentation for instructions on opening port 443 inbound and setting the Idle Session Timeout. For more information and guidelines on Direct Push, see Understanding Direct Push.
Setup Type | Description | Consideration |
---|---|---|
Third-party firewall |
Open port 443 inbound on third-party firewall(s). Configure Direct Push access for mobile devices. |
Does not require additional hardware or software for mobile messaging deployment. |
Option 3: Exchange Server 2007 and Exchange Server 2003 Coexistence
For organizations that do not wish to migrate their enterprise architecture to Exchange Server 2007, a third alternative is available. If installed as a front-end server, some of the new features offered by the Exchange Server 2007 Client Access Server can be used for mobile clients.
Note
Although this illustrates a possible topology for your IT infrastructure, Microsoft strongly recommends that all servers within a site run the same version of Microsoft Exchange.
The version of Exchange ActiveSync that clients use also depends on the server version that is hosting the user's mailbox. When a client connects to the Exchange Server 2007 Client Access server, the system checks to see where the user is located. If they are on a 2003 Mailbox server, the system uses the Exchange Server 2003 version of the ActiveSync protocol; if their mailbox is on an Exchange Server 2007 Mailbox, then the system passes on the connection to the Mailbox server where they use the new version of ActiveSync with the device. So a user whose mailbox is located on an earlier server version will be unable to use new features, such as SharePoint/UNC access and Exchange Search, because the older version of the ActiveSync protocol doesn't support these requests.
Note
In order to work, Exchange Search and other features and policies must be supported by the device. At this time, Windows Mobile 5 does not support policies and features that were not present in Exchange 2003 SP2.
Added benefits of using the Exchange Client Access server in the perimeter network include:
- New Exchange management capabilities.
- New Exchange mobile management capabilities.
- Enhanced Exchange logging (export to SQL and Excel).
- Ability to allow only provisioned devices to connect.
Important
The following features require the use of an Exchange Server 2007 Client Access server and Exchange Server 2007 Mailbox server, and are not available with this coexistence topology:
- Set OOF remotely.
- SharePoint and UNC access.
- Flagging e-mail.
- Search mailbox for mail.
- Attendee viewing enhancements.
- New security policy features for SD card encryption.
- Group-based policies.
- Any other features that rely on the new version of ActiveSync or the user's mailbox.
When you transition from Exchange Server 2003 to Exchange Server 2007, you will typically transition all the Exchange servers in a particular routing group or Active Directory site to Exchange 2007 at the same time, configure coexistence, and then transition the next site.
Important
Before you configure Client Access servers and decommission your Exchange 2003 front-end servers, determine whether you want to retain any Outlook Web Access settings or custom configurations, security updates, themes, and customization configurations from your Exchange Server 2003 front-end servers. Installation of Exchange Server 2007 requires 64-bit hardware, and no settings or custom configurations from Exchange Server 2003 are retained. Therefore, before you decommission your front-end servers and install Client Access servers, make sure that the Outlook Web Access settings and custom configurations on your Exchange Server 2003 back-end servers match the configurations on your Exchange Server 2003 front-end servers.
If you are installing the server roles on separate hardware, Microsoft recommends that you deploy the server roles in the following order:
- First, install the Client Access server role to replace all front-end servers.
- Deploy the Hub Transport server role and configure routing group connectors, send connectors, and receive connectors.
- Deploy the Mailbox server role and move user mailboxes to the new server.
Note
Further information on installing Exchange Server 2007 in your organization is discussed in Step 1: Install Exchange Server 2007 with Client Access Server Role.
Setup Type | Description | Consideration |
---|---|---|
Exchange Server 2007 Client Access Server and Exchange Server 2003 network in corporate network. |
Using Exchange 2007/2003 in a front-end and back-end capacity. Ability to utilize Exchange Server 2007 management capabilities. |
Microsoft recommends that all servers running within a site use the same Exchange version. |
Authentication in ISA Server 2006
Users can be authenticated using built-in Windows, LDAP, RADIUS, or RSA SecurID authentication. Front-end and back-end configuration has been separated, providing for more flexibility and granularity. Single sign on is supported for authentication to Web sites. Rules can be applied to users or user groups in any namespace.
For most enterprise installations, Microsoft recommends ISA Server 2006 with LDAP authentication. In addition, ISA Server 2006 enables certificate-based authentication with Web publishing. For more information, see Authentication in ISA Server 2006 on the Microsoft TechNet Web site.
The following table summarizes some of the features of ISA Server 2006:
Feature | Description |
---|---|
Support for LDAP authentication |
LDAP authentication allows ISA server to authenticate to Active Directory without being a member of the domain. For more information, see https://go.microsoft.com/fwlink/?LinkID=87069. |
Authentication delegation |
Published Web sites are protected from unauthenticated access by requiring the ISA Server 2006 firewall to authenticate the user before the connection is forwarded to the published Web site. This prevents exploits by unauthenticated users from reaching the published Web server. This functionality is detailed in Authentication in ISA Server 2006. |
SecurID authentication for Web proxy clients |
ISA Server 2006 can authenticate remote connections using SecurID two-factor authentication. This provides a high level of authentication security because a user must know something and have something to gain access to the published Web server. |
RADIUS support for Web proxy client authentication |
With ISA Server 2006, you can authenticate users in Active Directory and other authentication databases by using RADIUS to query Active Directory. Web publishing rules can also use RADIUS to authenticate remote access connections. |
Forms-based authentication with password and passphrase |
With ISA Server 2006, you have the ability to perform two-factor authentication using username/password combined with passphrase (SecureID/RADIUS OTP). |
Session management |
ISA Server 2006 includes improved control of cookie-based sessions to provide for better security and SSO for web-based clients such as OWA. |
Certificate management |
ISA Server 2006 simplifies certificate management. It is possible to utilize multiple certificates per Web listener and to use different certificates per array member. |
For more information about how to configure ISA Server 2006 for Exchange 2007, see Configuring ISA Server 2006 for Exchange Client Access.