Using a Bridgehead Server Behind a Firewall

  • Artigo

 

Tópico modificado em: 2005-05-20

Generally, if your organization contains multiple Exchange servers, you should use a bridgehead server to provide Internet connectivity to a routing group or an Exchange organization.

The following figure illustrates this topology.

bd62d49e-fad9-4731-8853-28b172c8889c

If you use a bridgehead server, it is not necessary for every Exchange server to have Internet connectivity. This configuration enhances security because only the bridgehead server is exposed to the Internet.

Importante

Because gateway servers usually have different security requirements than internal computers, you must examine your gateway servers carefully for security risks.

Basic Configuration

The basic configuration consists of an Exchange bridgehead server that is connected to the Internet and has the appropriate DNS configuration. An SMTP connector is installed on the bridgehead server and provides outgoing message delivery over the Internet. Furthermore, to protect the internal network, a firewall filters incoming Internet traffic and routes mail from the internal and external IP addresses.

The following lists provide general configuration requirements for the DNS servers, the Exchange bridgehead server, the Exchange member servers, and the firewall:

  • DNS servers
    Exchange relies on the existing DNS servers in its organization. Specifically, Exchange uses internal DNS to route internal messages and relies on the internal DNS server to forward and resolve external addresses through an external DNS server. To configure DNS in this way, ensure that the following conditions are met:

    • For the bridgehead server to be identified as the domain's mail server, the organization's external DNS server must contain an MX record for that bridgehead server. This DNS configuration allows inbound mail to be directed to the bridgehead server.
    • The organization's internal DNS server must have a forwarder to its external DNS server.
    • The Exchange server should point to the internal DNS server.
      For more information about how to configure DNS in this way, see Verifying DNS Design and Configuration.

  • Exchange bridgehead server

    • The Exchange bridgehead server has an Internet connection through the firewall on port 25.
    • The default SMTP virtual server is configured to send and receive Internet mail with the following default settings:
      - An IP address of port 25, the standard SMTP port.
      - Configured to allow anonymous access. You must allow anonymous access to your SMTP virtual server on your Exchange bridgehead server because Internet SMTP servers that send mail to this domain will not expect to authenticate.
      - Configured to not relay mail.
    • The SMTP connector that is hosted by the SMTP virtual server is configured with an address space of * (asterisk) to force all outgoing mail to use the bridgehead server.

  • Exchange member servers

    • These servers do not have a direct connection to the Internet.
    • These servers use the default settings on the SMTP virtual server.

  • Firewall
    The firewall is configured in accordance with your organizational guidelines and vendor specifications.

    Dica

    A complete discussion about firewall configuration is outside the scope of this guide. There are many ways you can configure a firewall to work with an SMTP relay server. You can allow either the firewall or the SMTP relay server to perform network address translation between internal and external addresses. For the purposes of this guide, mail flow through the firewall is treated as if it is transparent.

Inbound Internet Mail

Mail flows into an Exchange organization in the following manner:

  1. The remote SMTP server queries DNS to resolve the MX record for your mail domain and to obtain the IP address of your Exchange server.
  2. The remote SMTP server connects through the firewall to the SMTP virtual server on port 25.
  3. The SMTP virtual server accepts the incoming message and then routes the mail to either the Exchange server that hosts the user's mailbox or to a bridgehead server to deliver the message to another routing group.

Outbound Internet Mail

Mail flows out of an Exchange organization in the following manner:

  1. An internal user sends a message to a recipient in an external domain.
  2. The internal user's Exchange server sends mail to the SMTP connector on the bridgehead.
    Because the connector is configured with an address space of * (which denotes all external domains), each Exchange server in the routing group sends external e-mail messages through the SMTP connector on the bridgehead server.
  3. The SMTP connector uses DNS to resolve the IP address of the recipient's e-mail server and to route the mail directly to the recipient's SMTP server.