If you have been following this series of Blog entries on Exchange 2007 you will note I am building a complete Exchange 2007 Messaging Environment while 'transitioning' from Exchange 2003. In a previous entry titled 'Installation Steps - Installing the Edge Transport Server Role on a Server with 2 Network Interface Cards' I offered the steps for a complete installation of the Edge Server Role in this environment. Additionally, I offer the process for introducing the first Exchange 2007 Server into an existing Exchange 2003 Organization. That Blog entry is titled 'Installation Steps - Installing the first Exchange 2007 Server into an Existing Exchange 2003 Organization' and can be found at the link indicated.
Now, we are ready to integrate secure communication between the Edge Transport Server Role (SMTP Relay with complete Anti-Spam, Sender ID, Connection Filtering and alot more!) and the Hub Transport Server Role. I begin this process by establishing an Edge Subscription. This Subscription generates an XML File that contains the particular details for things like a Certficate Key Pair, Send Connector details and much more. The XML Subscription File is then transported (USB Key, temporary Network Share, etc.) from the Edge Transport Server Role onto the Hub Transport Server Role whereby it is 'read' and processed. Finally, I initiate the Edge Synchronization process. This configures the initial communication between the Hub Transport Server and the Edge Transport Server and the ongoing schedule for maintaining persistent communication.
I am logged into the first Exchange 2007 Server in the Exchange 2003 Organization and run the 'Test-ServiceHealth' Commandlet from the Exchange Management Shell. The output indicates the required Services are running on this Server. This Server is a combined Mailbox Server Role, Client Access Server Role and Hub Transport Server Role.
Then, I initiate the 'Test-SystemHealth' Exchange Command Shell Commandlet to identify any potential problems in the configuration that would preclude generation of an Edge Subscription in the topology.
The output from the 'Test-SystemHealth' Commandlet indicate no significant issues present. The second Warning Message is indicative of using Virtual Server 2005 R2 SP1's default Network Interface Card Driver. Again, of no significant issue.
On the Exchange 2007 Server I open the Exchange 2007 Management Console and move to the Recipients Node. In this Node I select the Mailbox leaf which indicates 3 Mailboxes currently residing on an Exchange 2007 Mailbox Server (all Mailboxes noted as 'Legacy Mailbox' indicate they reside on an Exchange 2003 Mailbox Server). These 3 Mailboxes include 1) Chong Weih, 2) Ralph McGee and 3) Tipton Longsford. We will target an inbound e-mail from an Internet-based e-mail address to Ralph McGee through the Edge Transport Server Role as a test upon successful configuration of the Edge Transport Server Role.
Another validation ICMP Traffic from the Hub Transport Server Role (k01-ad-ex2) to the Edge Transport Server Role (k01-ad-ex3) is possible.
I move and login to the Server with the Edge Transport Server Role installed (k01-ad-ex3) and observe the 2 Network Interface Cards I configured. Note I indicated one NIC as '192.168.1.55_Edge_Internal' and one NIC as '10.20.1.1_Edge_External'.
An ICMP Ping from the Edge Transport Server Role (k01-ad-ex3) over to the Hub Transport Server Role (k01-ad-ex2) to validate basic TCP/IP communication.
When I open the Exchange 2007 Management Console on the Edge Transport Server Role note no values in the 'Accepted Domains' Tab. Following the Edge Subscription we should find 'Accepted Domains' listed as one indication of a successful Edge Subscription and Edge Synchronization.
Here I temporarily move back to the Hub Transport Server Role to display no values in the 'Edge Subscription' Tab for the Hub Transport Server Role. Additionally, I highlight the 'New Edge Subscription' item in the Action Pane to validate the selection AFTER we generate an Edge Subscription XML File.
Back over on the Edge Transport Server where I initiate the 'New-EdgeSubscription' Commandlet to generate an output XML File. This XML File is then transported over to the Hub Transport Server to generate a new Edge Subscription.
XML Edge Subscription File succesfully generated and located at the root of the C:\ Drive.
Same XML Edge Subscription File using Windows Explorer. I have mapped a 'temporary drive letter' from the Edge Transport Server (where the XML File resides) to the Hub Transport Server (where the XML File is targeted).
Logged in back at the Hub Transport Server I invoke the 'New Edge Subscription' Wizard.
The 'New Edge Subscription Wizard' allows 'consumption' of the XML Edge Subscription File generated by the Edge Transport Server.
A successful import of the XML Edge Subscription File with no significant Warnings.
Now, the 'Start-EdgeSynchronization' Commandlet can be executed to initiate communication between the Edge Transport Server Role and the Hub Transport Server Role.
Success! Edge Synchronization for the first time works flawlessly!
I now use the 'Test-EdgeSynchronization' Commandlet to identify any potential problems in ongoing synchronization.
When I open the Exchange 2007 Management Console we note a number of changes as a result of the Edge Synchronization process. Here I note the 2 Accepted Domains - 1) corp.itpslab.local and 2) itpslabmail.com.
On the Edge Transport Server Role using the Exchange 2007 Management Console on the 'Send Connector' Tab we note 2 new Send Connectors.
Now, moving over to the Hub Transport Server Role and selecting the 'Send Connectors' Tab I note the 2 Send Connectors for Inbound/Outbound communication between the Edge Transport Server and the Hub Transport Server in the Active Directory Site.
On the Hub Transport Server Role I also note new values in the 'Edge Subscription' Tab with a 'Healthy' synchronization icon fo the Edge Transport Server as well.
On the Hub Transport Server Role the output of the 'Test-EdgeSynchronization' Commandlet indicates 'Succeeded' and 'Synchronized' across the Board.
Now I move to an Internal Workstation with the Outlook 2007 Client installed. I login as an Exchange 2007 Mailbox holder named Ralph McGee. Separate from any Screen Captures I moved to the External Interface of the Edge Transport Server with a Windows XP SP2 Client. With this WinXPSP2 Client I initiated a Telnet Session over TCP Port 25 to generate an inbound e-mail from a fictitious Internet-based e-mail Server. This process is an equivalent process that occurs when Internet-based e-mail Servers communicate to send/receive e-mail messages. My fictitious Internet-based e-mail Sender was Chuck.Brown@supermail.int. No such SMTP Namespace exists outside of my 'Virtual Lab' configuration.
While logged in with the Outlook 2007 Client as Ralph McGee I successfully receive the e-mail from the Internet-based E-Mail user Chuck.Brown@supermail.int. This validates inbound traffic flowing from Internet E-Mail Server --> Edge Transport Server Role --> Hub Transport Server Role --> Mailbox Server Role. Success!
When I hit 'Reply' to the fictitious Internet-based E-Mail User Chuck.Brown@supermail.int while logged into Outlook 2007 as 'Ralph McGee' the e-mail correctly routes all the way to the Edge Transport Server Role. In my 'Virtual Lab' configuration I have purposely not connected any of it to the 'real world'. As such, the e-mail message destined for a fictitious Internet-based E-Mail Server sits in the Queue on the Edge Transport Server - exactly as it should!
Our next steps will include installing Forefront Security for Exchange (formerly Sybari Antigen) on a Mailbox Server Role for Anti-Virus, Content Filtering, File Filtering and more!
If you'd like to 'Learn Advanced IT' - Check out the Free Video Lessons on Windows 2008 SP2 Failover Cluster Nodes for Highly Available File Services and other Microsoft topics as well - http://www.exchangesummit.net.
Lynn Lunik
Independent Security Consultant
Windows(R) Platform
IT Pro Secure Corporation
and
exchangesummit.net
http://itprosecure.com and http://www.exchangesummit.net
blog <at> itprosecure.com
Posted
Sep 05 2007, 03:58 PM
by
lynn lunik