Ch06 edge transport
Download as PPTX, PDF•0 likes•177 views
The document provides an overview of the Edge Transport Server role in Exchange 2013, detailing its purpose in managing internet-facing mail flow and enhancing security measures. It outlines installation requirements, synchronization processes, transport agent configurations, and anti-spam and anti-malware features. The document also covers address rewriting and connection filtering, including IP allow/block lists and sender reputation mechanisms.
Ch06 edge transport
- 2. Overview Edge Transport Server Role Edge Transport Server Installation and Synchronization Transport Agent Configuration 2
- 3. Edge Transport Server Overview Used to minimize the attack surface by handling all Internet-facing mail flow, providing additional layers of message protection and security. Installed in the network perimeter, and is not joined to the internal organization’s AD forest. Mail flow and recipient data is synchronized from the MB server to the Edge Transport server using EdgeSync. Install multiple ET servers for high availability. External MX records point to the ET servers. 3
- 4. ET Scenarios Internet mail flow ◦ Accepts mail from the Internet protecting the internal MB and CAS servers. ◦ Mail flows from the Internet to ET MB CAS when the roles are separately installed. ◦ Mail flows from the Internet to ET FrontEnd Transport (FET) on CAS Transport service on MB when CAS/MB are installed on the same server. Anti-spam and antivirus protection ◦ Blocks viruses and unsolicited email. Edge Transport rules ◦ Used to control the flow of messages by applying an action to messages meeting specified conditions. Address rewriting ◦ Presents a consistent email address appearance to external recipients. 4
- 6. Edge Transport Setup Support for Exchange 2013 Edge Transport started with SP1 Requirements ◦ x64 CPU, 4 GB RAM ◦ Preferred DNS set to the internal DNS server ◦ Standalone server ◦ DNS name suffix for the internal domain ◦ MB and ET servers must be able to locate each other using DNS name resolution ◦ ADLDS 6
- 7. Edge Transport Setup Once the Edge is installed you must create an Edge subscription file. This file is valid for 24 hours. Copy the Edge Subscription file to one of the mailbox servers in your site and run the following cmdlet to begin Edge synchronization. 7
- 8. Edge Transport Setup Start the Edge Synchronization process using the Start-EdgeSynchronization cmdlet on the MB server. Your Edge server is completely functional once Edge Synchronization has completed. Future changes to send/receive connectors are still completed on the MB server and then synchronized to the Edge server. Future synchronizations occur on a schedule: ◦ Configuration data: 3 minutes ◦ Recipient data: 5 minutes ◦ Topology data: 5 minutes 8
- 9. Transport Agents Inbound SMTP messages are processed for message hygiene by the ET server in a specific order using transport agents. All management is performed using EMS. 9
- 10. Connection Filtering Agents Connection filtering is an anti-spam feature available when using an Exchange 2013 Edge Transport server. ◦ IP Block List ◦ IP Block List Providers ◦ IP Allow List ◦ IP Allow List Providers Check to ensure the block list transport agent is configured. 10
- 11. Connection Filtering - IP Allow List The IP Allow list contains the IP addresses of email servers that you want to designate as trustworthy sources of email. ◦ You manually maintain the IP addresses in the IP Allow list. ◦ You can add individual IP addresses or IP address ranges. ◦ You can specify an expiration time that specifies how long the IP address entry will be allowed. When the expiration time is reached, the entry in the IP Allow list is disabled. ◦ Email from mail servers that you specify in the IP Allow list is exempt from processing by other Exchange anti-spam agents. 11
- 12. Connection Filtering - IP Allow List Adding a specific whitelist entry the Edge server will rate messages from the IP with a spam confidence level (SCL) of -1. Note that the command was entered at the Edge server, this is a requirement for the cmdlet to work. Message details before and after the IP allow list entry. 12
- 13. Connection Filtering - IP Block List 13
- 14. Sender Filtering You can select a specific sender or block entire domains including their subdomains. 14
- 15. Recipient Filtering Configures Exchange to only accept messages for existing recipients in your organization. Enabled using the “AddressBookEnabled” property on an Accepted Domain. By default, this is enabled on all authoritative accepted domains and disabled for internal and external relay domains. Check the AddressBookEnabled property using: 15 Although the Recipient Filter agent is also available on Mailbox servers, you shouldn't configure it. When recipient filtering on a Mailbox server detects one invalid or blocked recipient in a message that contains other valid recipients, the message is rejected. https://technet.microsoft.com/en-us/library/jj218660(v=exchg.150).aspx
- 16. Recipient Filtering Block specific recipients within your organization from receiving email using: The cmdlet displayed above also requires BlockListEnabled to be set to true. 16
- 17. Sender ID Filtering DNS-based filtering where the Exchange server checks for Sender Policy Framework (SPF) DNS records for the sending organization. Spoofing is assumed if no SPF record is found. 17 Set-SenderIDConfig –SpoofedDomainAction Reject –BypassedDomains Microsoft.com
- 18. Content Filtering Filter and delete incoming messages based on keywords. Works with the Spam Confidence Level (SCL) to identify the likelihood of spam. The SCL is from 0-9 where 9 is most likely spam. 18
- 19. Sender Reputation Uses a non-configurable protocol analysis agent to analyze statistics from SMTP senders. SRL is maintained in memory and restarts when the Edge Transport server’s transport service is restarted. Sender Reputation Level (SRL) is calculated based on: ◦ EHLO/HELO analysis ◦ Reverse DNS lookup ◦ SCL ratings of a particular sender ◦ Open proxy test on the sending SMTP serer The SRL is a rating from 0-9 where 9 is most likely to be spam. Reputation begins at 0 and begins checking the SRL after receiving 20 messages. SRL threshold is set to 7 by default. https://technet.microsoft.com/en-us/library/bb124512%28v=exchg.150%29.aspx 19 Error in Apress Pro Exchange 2013 SP1 PowerShell Administration has the SRL ratings reversed: Pg. 294
- 20. Spam Confidence Levels (SCL) The SCL is stamped in the X-header of each message. A rating from -1 to 9 is interpreted by filters and the default action is taken on inbound messages. Note that a -1 doesn’t guarantee a message won’t be denied as a deny from another transport agent could still be applied. 20 SCL Rating Spam Confidence Interpretation Default Action -1 Non-spam coming from a safe sender, safe recipient, or safe listed IP address (trusted partner) Deliver the message to the recipients’ inbox. 0, 1 Non-spam because the message was scanned and determined to be clean Deliver the message to the recipients’ inbox. 5, 6 Spam Deliver the message to the recipients’ Junk Email folder. 9 High confidence spam Deliver the message to the recipients’ Junk Email folder.
- 21. Import/Export Edge Configuration Configuration of Edge Transports servers is local and not shared among ET servers. Multiple ET servers can be configured using cloned configuration during the installation of the ET server role. The exported configuration can also serve as a backup configuration during recovery. Subsequent changes will need to be made independently. Generate the clone data xml file: Copy the xml file to the new Edge Transport server and import the clone data prior to configuring the edge subscription using: 21 .ExportEdgeConfig.ps1 –CloneConfigData:”C:TempEdgeClonedConfig.xml” .ImportEdgeConfig.ps1 –CloneConfigData:”C:TempEdgeClonedConfig.xml” –IsImport $true – CloneConfigAnswer:”C:TempCloneAnswerFile.xml”
- 22. Load Balancing Traffic between Edge Transport servers and the internal Exchange 2013 mailbox servers (in the same site as the ET server) is automatically load balanced using a round-robin mechanism and vice versa. Inbound traffic from the Internet to the Edge Transport servers is load balanced using multiple MX records with weighting or a single MX record pointing to a load balancer. 22
- 23. Anti-Malware The Edge Transport server doesn’t provide any anti-malware or anti-virus, instead this is offered using message hygiene services in the cloud – Microsoft Exchange Online Protection. The Mailbox Server role however comes with a default anti-malware engine that can perform content scanning for viruses, scanning all inbound and outbound messages in transit. Malware definition files are downloaded once per hour or can be downloaded manually. Mailbox server antivirus is enabled by default. 23
- 24. Address Rewriting Addresses can be rewritten at the Edge Transport server so that they appear to be coming from a different domain. This is useful when you have a primary Active Directory domain and multiple subdomains. ◦ For instance, recipients sending emails from the subdomain sales.contoso.com can have their address rewritten removing the sales domain. This provides a consistent email address for all employees. Configuration is only completed using EMS on the ET server. Must configure both the Address Rewriting Outbound agent and the Address Rewriting Inbound agents on the ET server when you have more than a single recipient or domain. 24
- 25. References Microsoft TechNet: Exchange Server 2013 Prerequisites ◦ https://technet.microsoft.com/en-CA/library/bb691354%28v=exchg.150%29.aspx#WS2012Edge Microsoft TechNet: Edge Transport servers ◦ https://technet.microsoft.com/en-us/library/bb124701(v=exchg.150).aspx Microsoft TechNet: Manage Connection Filtering on Edge Transport Servers ◦ https://technet.microsoft.com/en-us/library/bb124376(v=exchg.150).aspx 25