Network Architecture Scenarios and Exchange Server 2010

  • Article

7/2/2010

This topic provides network topology information for your Microsoft Exchange Server 2010 and Windows Mobile 6.5 deployment. The following scenarios are illustrated:

  • ISA Server 2006 SP1 as an advanced firewall (behind a third-party firewall)
  • Use of a third-party firewall
  • Co-existence of Exchange Server 2007 and Exchange Server 2010

Deployment Options

The following scenarios represent a few of the many ways to implement a mobile messaging solution using Exchange Server 2010, ISA Server 2006 SP1, third-party firewalls, and devices with Windows Mobile 6.5. The scenarios are not presented in a preferred order.

Important

These options illustrate possible deployment strategies for your network. The final topology should take into account the specifics of your network, including available hardware and software, security considerations, projected usage, and the ability to provide optimal performance. Microsoft recommends that you thoroughly research all security considerations for your network prior to implementation. For ISA server reference material, see Step 4: Install and Configure ISA Server 2006 SP1 or Other Firewall. For third-party firewalls, consult the manufacturer's documentation for related security issues.

Option 1: ISA Server 2006 SP1 as an Advanced Firewall in a Perimeter Network

The first option is implementing ISA Server 2006 SP1 as your security gateway. ISA Server 2006 SP1 and Exchange Server 2010 enhance security features by providing protocol inspection in addition to SSL bridging and user authentication.

Note

The ISA server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic. It directly communicates with LDAP servers and the internal Exchange server(s). For increased security, the ISA server intercepts all SSL client requests and proxies them to the back-end Exchange server(s).

In this configuration, Exchange servers are within the corporate network and the ISA server acts as the advanced firewall in the perimeter network. This adds an additional layer of security to your network.

All incoming Internet traffic over port 443 is intercepted by the ISA 2006 Server. The ISA server terminates the SSL connection, authenticates the user, and inspects the request. If it is well formed, it will send the request on to the Exchange Client Access server for processing.

For more information, see Microsoft Internet Security and Acceleration (ISA) Server 2006 on the Microsoft TechNet Web site.

The following table lists considerations for deploying ISA Server 2006 SP1 as an advanced firewall in a perimeter network, domain joined, and other potential ISA topologies.

Setup Type Description Consideration

Firewall in Workgroup in perimeter network
  • All Exchange servers are within the corporate network
  • FBA or basic authentication
  • SSL configured for Exchange ActiveSync to encrypt all messaging traffic
  • ISA server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic
  • ISA Server 2006 SP1 directly communicates with LDAP and RADIUS servers
  • LDAP authentication
  • LDAP, LDAPS, LDAP-GC, and LDAPS-GC are supported
  • Because each domain controller can only authenticate the users in its domain, the ISA server by default queries the global catalog for a forest to validate user credentials
  • RADIUS authentication
  • RADIUS provides credentials validation
  • The ISA server is the RADIUS client, depending upon RADIUS authentication response
  • Password changes are not possible
  • All Exchange traffic is pre-authenticated, reducing surface area and risk
  • Client authentication to Exchange is possible with Windows, Kerberos, LDAP, LDAPS, RADIUS, or RSA SecurID
  • Client authentication to ISA is limited to FBA, basic, LDAP, and RADIUS
  • Requires port 443 open on the firewall for inbound and outbound Internet traffic
  • Requires a digital certificate to connect to Configuration Storage server
  • Limited to one Configuration Storage server (ADAM limitation)
  • Domain administrators do not have access to the firewall array
  • Workgroup clients cannot use Windows authentication
  • Requires management of mirrored accounts for monitoring arrays.

For further information on ISA authentication, go to this Microsoft Web site.

ISA Server 2006 SP1 domain-joined in perimeter network
  • Exchange Client Access Server (CAS in the enterprise forest)
  • As a domain member, ISA Server 2006 SP1 works with Active Directory
  • Additional ports on the internal firewall are opened to facilitate domain member communication to Active Directory
  • IPSec can be configured between the ISA server and Exchange server to eliminate the need for additional open ports
  • Some organizations may not wish to deploy domain resources outside the trusted Local Area Network, which may pose a security risk for some network topologies

ISA Server 2006 SP1 domain-joined in enterprise forest
  • Exchange FE in enterprise forest
  • As an enterprise domain member, ISA acts as a trusted domain member, following domain policies as well. Also provides for more resilient CSS deployment.
  • No special firewall ports or IPSec tunnels are required; KCD works more smoothly

Option 2: Third-Party Firewall

The second option is to deploy your mobile messaging solution with a third-party firewall. The following conditions should be met to help create an efficient and more secure architecture:

  • Use SSL to encrypt all traffic between the mobile device and Exchange Server 2010
  • Open port 443 inbound on each firewall between the Windows® phone and Exchange Server
  • Set Idle Session Timeout to 30 minutes on all firewalls and network appliances on the path between the phone and Exchange server to optimize bandwidth for Direct Push Technology

Note

Consult firewall manufacturer documentation for instructions on opening port 443 inbound and setting the Idle Session Timeout. For more information and guidelines on Direct Push Technology, see Understanding Direct Push and Exchange Server 2010.

Setup Type Description Consideration

Third-party firewall

Open port 443 inbound on third-party firewall(s). Configure Direct Push access for phones.

Does not require additional hardware or software for mobile messaging deployment.

Option 3: Exchange Server 2010 and Exchange Server 2007 Co-existence

For organizations that do not wish to migrate their enterprise architecture to Exchange Server 2010, a third alternative is available. To use the new Exchange Server 2010 features, you will need to use Exchange Server 2010 in both the Client Access server and Mailbox Server roles.

Note

Although this illustrates a possible topology for your IT infrastructure, Microsoft strongly recommends that all servers within a site run the same version of Microsoft Exchange.

The version of Exchange ActiveSync that clients use also depends on the server version that is hosting the user's mailbox. When a client connects to the Exchange Server 2010 Client Access server, the system checks to see where the user is located. If they are on a 2007 Mailbox server, the system uses the Exchange Server 2007 version of the Exchange ActiveSync protocol; if their mailbox is on an Exchange Server 2010 Mailbox, then the system passes on the connection to the Mailbox server where they use the new version of Exchange ActiveSync with the phone. So a user whose mailbox is located on an earlier server version will be unable to use features such as SharePoint/UNC access and Exchange Search.

Note

The Client Access Server role should never be installed in the perimeter network unless you are deploying Exchange in a Windows Small Business Server deployment. In that configuration, Microsoft recommends that you use a firewall to funnel all Internet traffic that is bound for your Client Access Server. It is also a best practice to run Exchange Best Practice Analyzer before proceeding with your deployment.

Important

The following features require the use of an Exchange Server 2010 Client Access server and Exchange Server 2010 Mailbox server, and are not available with this co-existence topology: -- Set Out of Office (OOF) remotely -- SharePoint and UNC access -- Flagging e-mail -- Search mailbox for mail -- Attendee viewing enhancements -- New security policy features for SD card encryption -- Group-based policies -- Any other features that rely on the new version of Exchange ActiveSync or the user's mailbox

When you transition from Microsoft Exchange Server 2007 to Microsoft Exchange Server 2010, you will typically transition all the Exchange servers in a particular routing group or Active Directory site to Exchange 2010 at the same time, configure co-existence, and then transition the next site.

Important

Before you configure Client Access servers and decommission your Exchange 2007 servers, determine whether you want to retain any Outlook Web Access settings or custom configurations, security updates, themes, and customization configurations from your Exchange Server 2007 servers. Installation of Exchange Server 2010 requires 64-bit hardware, and no settings or custom configurations from Exchange Server 2007 are retained. Before you decommission your front-end servers and install Client Access servers, make sure that the Outlook Web Access settings and custom configurations in Exchange Server 2010 Client Access servers match the configurations on your Exchange Server 2010 Mailbox server.

Microsoft recommends that you deploy the server roles as follows:

  1. For e-mail messages to flow correctly, you must install both the Mailbox server role and the Hub Transport server role in the same Active Directory site.
  2. You can also install the Mailbox server role, the Hub Transport server role, the Client Access server role, and the Unified Messaging server role on the same computer or on separate computers.
  3. If you choose to install the Edge Transport server role, note that it cannot coexist on the same computer with any other server role. You must deploy the Edge Transport server role in the perimeter network and outside the Active Directory forest.

Note

Further information on installing Exchange Server 2010 in your organization is discussed in Step 1: Install Microsoft Exchange Server 2010 with Client Access Server Role.

Setup Type Description Consideration

Exchange Server 2010 Client Access Server and Exchange Server 2007 network in corporate network.

Ability to utilize Exchange Server 2010 management capabilities.

Microsoft recommends that all servers running within a site use the same Exchange version.

Authentication in ISA Server 2006 SP1

Users can be authenticated using built-in Windows, LDAP, RADIUS, or RSA SecurID authentication. Front-end and back-end configuration has been separated, providing for more flexibility and granularity. Single sign on is supported for authentication to Web sites. Rules can be applied to users or user groups in any namespace.

For most enterprise installations, Microsoft recommends ISA Server 2006 SP1 with LDAP authentication. In addition, ISA Server 2006 SP1 enables certificate-based authentication with Web publishing. For more information, see Authentication in ISA Server 2006 SP1 on the Microsoft TechNet Web site.

The following table summarizes some of the features of ISA Server 2006 SP1:

Feature Description

Support for LDAP authentication

LDAP authentication allows ISA server to authenticate to Active Directory without being a member of the domain. For more information, go to this Microsoft Web site

Authentication delegation

Published Web sites are protected from unauthenticated access by requiring the ISA Server 2006 SP1 firewall to authenticate the user before the connection is forwarded to the published Web site. This prevents exploits by unauthenticated users from reaching the published Web server. This functionality is detailed in Authentication in ISA Server 2006 SP1 on the Microsoft TechNet Web site.

SecurID authentication for Web proxy clients

ISA Server 2006 SP1 can authenticate remote connections using SecurID two-factor authentication. This provides a high level of authentication security because a user must know something and have something to gain access to the published Web server.

RADIUS support for Web proxy client authentication

With ISA Server 2006 SP1, you can authenticate users in Active Directory and other authentication databases by using RADIUS to query Active Directory. Web publishing rules can also use RADIUS to authenticate remote access connections.

Forms-based authentication with password and passphrase

With ISA Server 2006 SP1, you have the ability to perform two-factor authentication using username/password combined with passphrase (SecureID/RADIUS OTP).

Session management

ISA Server 2006 SP1 includes improved control of cookie-based sessions to provide for better security and SSO for web-based clients such as OWA.

Certificate management

ISA Server 2006 SP1 simplifies certificate management. It is possible to utilize multiple certificates per Web listener and to use different certificates per array member.

See Also

Concepts

Deploying Mobile Messaging for Microsoft Exchange Server 2010