Network Architecture Scenarios

  • Article

6/2/2010

This section provides network topology information for your Exchange Server 2007 and Windows Mobile 6 deployment. The following scenarios are illustrated:

  • ISA Server 2006 as an advanced firewall (behind a third-party firewall)
  • Use of a third-party firewall
  • Coexistence of Exchange Server 2003 and Exchange Server 2007

Deployment Options

The following scenarios represent a few of the many ways to implement a mobile messaging solution using Exchange Server 2007, ISA Server 2006, third-party firewalls, and Windows Mobile 6 devices. The scenarios are not presented in a preferred order.

Important

These options illustrate possible deployment strategies for your network. The final topology should take into account the specifics of your network, including available hardware and software, security considerations, projected usage, and the ability to provide optimal performance. Microsoft recommends that you thoroughly research all security considerations for your network prior to implementation. For ISA server reference material, see Step 4: Install and Configure ISA Server 2006 or Other Firewall. For third-party firewalls, consult the manufacturer's documentation for related security issues.

Option 1: ISA Server 2006 as an Advanced Firewall in a Perimeter Network

The first option is implementing ISA Server 2006 as your security gateway. ISA Server 2006 and Exchange Server 2007 enhance security features by providing protocol inspection in addition to SSL bridging and user authentication.

Note

The ISA server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic. It directly communicates with LDAP servers and the internal Exchange server(s). For increased security, the ISA server intercepts all SSL client requests and proxies them to the back-end Exchange server(s).

In this configuration, Exchange servers are within the corporate network and the ISA server acts as the advanced firewall in the perimeter network. This adds an additional layer of security to your network.

All incoming Internet traffic over port 443 is intercepted by the ISA 2006 Server. The ISA server terminates the SSL connection, authenticates the user, and inspects the request. If it is well formed, it will send the request on to the Exchange Client Access server for processing.

For more information on Exchange client access, see Configuring ISA Server 2006 for Exchange 2007 Client Access.

The following table lists considerations for deploying ISA Server 2006 as an advanced firewall in a perimeter network, domain joined, and other potential ISA topologies.

Setup Type Description Consideration

Firewall in Workgroup in perimeter network
  • All Exchange servers are within the corporate network.
  • FBA or basic authentication
  • SSL configured for Exchange ActiveSync to encrypt all messaging traffic.
  • ISA server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic.
  • ISA Server 2006 directly communicates with LDAP and RADIUS servers.
  • LDAP authentication
  • LDAP, LDAPS, LDAP-GC, and LDAPS-GC are supported.
  • Because each domain controller can only authenticate the users in its domain, the ISA server by default queries the global catalog for a forest to validate user credentials.
  • RADIUS authentication
  • RADIUS provides credentials validation.
  • The ISA server is the RADIUS client, depending upon RADIUS authentication response.

Password changes are not possible.
  • All Exchange traffic is pre-authenticated, reducing surface area and risk.
  • Client authentication to Exchange is possible with Windows, Kerberos, LDAP, LDAPS, RADIUS, or RSA SecurID. Client authentication to ISA is limited to FBA, basic, LDAP, and RADIUS.
  • Requires port 443 open on the firewall for inbound and outbound Internet traffic.
  • Requires a digital certificate to connect to Configuration Storage server.
  • Limited to one Configuration Storage server (ADAM limitation).
  • Domain administrators do not have access to the firewall array.
  • Workgroup clients cannot use Windows authentication.
  • Requires management of mirrored accounts for monitoring arrays.

For further information on ISA authentication, see: https://go.microsoft.com/fwlink/?LinkID=87068.

ISA Server 2006 domain-joined in perimeter network
  • Exchange Client Access Server (CAS in the enterprise forest)
  • As a domain member, ISA Server 2006 works with Active Directory.
  • Additional ports on the internal firewall are opened to facilitate domain member communication to Active Directory.
  • IPSec can be configured between the ISA server and Exchange server to eliminate the need for additional open ports.
  • Some organizations may not wish to deploy domain resources outside the trusted Local Area Network, which may pose a security risk for some network topologies.

ISA Server 2006 domain-joined in enterprise forest
  • Exchange FE in enterprise forest
  • As an enterprise domain member, ISA acts as a trusted domain member, following domain policies as well. Also provides for more resilient CSS deployment.
  • No special firewall ports or IPSec tunnels are required; KCD works more smoothly.

Option 2: Third-Party Firewall

The second option is to deploy your mobile messaging solution with a third-party firewall. The following conditions should be met to help create an efficient and more secure architecture:

  • Use SSL to encrypt all traffic between the mobile device and Exchange Server 2007.
  • Open port 443 inbound on each firewall between the mobile device and Exchange Server.
  • Set Idle Session Timeout to 30 minutes on all firewalls and network appliances on the path between the mobile device and Exchange server to optimize bandwidth for Direct Push technology.

Note

Consult firewall manufacturer documentation for instructions on opening port 443 inbound and setting the Idle Session Timeout. For more information and guidelines on Direct Push, see Understanding Direct Push.

Setup Type Description Consideration

Third-party firewall

Open port 443 inbound on third-party firewall(s). Configure Direct Push access for mobile devices.

Does not require additional hardware or software for mobile messaging deployment.

Option 3: Exchange Server 2007 and Exchange Server 2003 Coexistence

For organizations that do not wish to migrate their enterprise architecture to Exchange Server 2007, a third alternative is available. If installed as a front-end server, some of the new features offered by the Exchange Server 2007 Client Access Server can be used for mobile clients.

Note

Although this illustrates a possible topology for your IT infrastructure, Microsoft strongly recommends that all servers within a site run the same version of Microsoft Exchange.

The version of Exchange ActiveSync that clients use also depends on the server version that is hosting the user's mailbox. When a client connects to the Exchange Server 2007 Client Access server, the system checks to see where the user is located. If they are on a 2003 Mailbox server, the system uses the Exchange Server 2003 version of the ActiveSync protocol; if their mailbox is on an Exchange Server 2007 Mailbox, then the system passes on the connection to the Mailbox server where they use the new version of ActiveSync with the device. So a user whose mailbox is located on an earlier server version will be unable to use new features, such as SharePoint/UNC access and Exchange Search, because the older version of the ActiveSync protocol doesn't support these requests.

Note

In order to work, Exchange Search and other features and policies must be supported by the device. At this time, Windows Mobile 5 does not support policies and features that were not present in Exchange 2003 SP2.

Added benefits of using the Exchange Client Access server in the perimeter network include:

  • New Exchange management capabilities.
  • New Exchange mobile management capabilities.
  • Enhanced Exchange logging (export to SQL and Excel).
  • Ability to allow only provisioned devices to connect.

Important

The following features require the use of an Exchange Server 2007 Client Access server and Exchange Server 2007 Mailbox server, and are not available with this coexistence topology:

  • Set OOF remotely.
  • SharePoint and UNC access.
  • Flagging e-mail.
  • Search mailbox for mail.
  • Attendee viewing enhancements.
  • New security policy features for SD card encryption.
  • Group-based policies.
  • Any other features that rely on the new version of ActiveSync or the user's mailbox.

When you transition from Exchange Server 2003 to Exchange Server 2007, you will typically transition all the Exchange servers in a particular routing group or Active Directory site to Exchange 2007 at the same time, configure coexistence, and then transition the next site.

Important

Before you configure Client Access servers and decommission your Exchange 2003 front-end servers, determine whether you want to retain any Outlook Web Access settings or custom configurations, security updates, themes, and customization configurations from your Exchange Server 2003 front-end servers. Installation of Exchange Server 2007 requires 64-bit hardware, and no settings or custom configurations from Exchange Server 2003 are retained. Therefore, before you decommission your front-end servers and install Client Access servers, make sure that the Outlook Web Access settings and custom configurations on your Exchange Server 2003 back-end servers match the configurations on your Exchange Server 2003 front-end servers.

If you are installing the server roles on separate hardware, Microsoft recommends that you deploy the server roles in the following order:

  1. First, install the Client Access server role to replace all front-end servers.
  2. Deploy the Hub Transport server role and configure routing group connectors, send connectors, and receive connectors.
  3. Deploy the Mailbox server role and move user mailboxes to the new server.

Note

Further information on installing Exchange Server 2007 in your organization is discussed in Step 1: Install Exchange Server 2007 with Client Access Server Role.

Setup Type Description Consideration

Exchange Server 2007 Client Access Server and Exchange Server 2003 network in corporate network.

Using Exchange 2007/2003 in a front-end and back-end capacity. Ability to utilize Exchange Server 2007 management capabilities.

Microsoft recommends that all servers running within a site use the same Exchange version.

Authentication in ISA Server 2006

Users can be authenticated using built-in Windows, LDAP, RADIUS, or RSA SecurID authentication. Front-end and back-end configuration has been separated, providing for more flexibility and granularity. Single sign on is supported for authentication to Web sites. Rules can be applied to users or user groups in any namespace.

For most enterprise installations, Microsoft recommends ISA Server 2006 with LDAP authentication. In addition, ISA Server 2006 enables certificate-based authentication with Web publishing. For more information, see Authentication in ISA Server 2006 on the Microsoft TechNet Web site.

The following table summarizes some of the features of ISA Server 2006:

Feature Description

Support for LDAP authentication

LDAP authentication allows ISA server to authenticate to Active Directory without being a member of the domain.

For more information, see https://go.microsoft.com/fwlink/?LinkID=87069.

Authentication delegation

Published Web sites are protected from unauthenticated access by requiring the ISA Server 2006 firewall to authenticate the user before the connection is forwarded to the published Web site. This prevents exploits by unauthenticated users from reaching the published Web server. This functionality is detailed in Authentication in ISA Server 2006.

SecurID authentication for Web proxy clients

ISA Server 2006 can authenticate remote connections using SecurID two-factor authentication. This provides a high level of authentication security because a user must know something and have something to gain access to the published Web server.

RADIUS support for Web proxy client authentication

With ISA Server 2006, you can authenticate users in Active Directory and other authentication databases by using RADIUS to query Active Directory. Web publishing rules can also use RADIUS to authenticate remote access connections.

Forms-based authentication with password and passphrase

With ISA Server 2006, you have the ability to perform two-factor authentication using username/password combined with passphrase (SecureID/RADIUS OTP).

Session management

ISA Server 2006 includes improved control of cookie-based sessions to provide for better security and SSO for web-based clients such as OWA.

Certificate management

ISA Server 2006 simplifies certificate management. It is possible to utilize multiple certificates per Web listener and to use different certificates per array member.

For more information about how to configure ISA Server 2006 for Exchange 2007, see Configuring ISA Server 2006 for Exchange Client Access.