Tuesday, 4 October 2011

Collection:Exchange 2007 Edge Transport Server Role(1)

To back up an Edge Transport Server by using ExportEdgeConfig.ps1
  1. Copy the ExportEdgeConfig.ps1 script to the root folder of your user profile on the server that you are backing up.
  2. Capture the configuration with the ExportEdgeConfig.ps1 script by running the following command in the Exchange Management Shell:


./ExportEdgeConfig -cloneConfigData:"C:\CloneConfigData.xml"

Note:
Replace C:\CloneConfigData.xml with the full path of the XML backup file to be created by the ExportEdgeConfig.ps1 script.


The confirmation message, "Edge configuration data is exported successfully to: C:/CloneConfigData.xml," appears.
3.      Copy the output file to a secure location.

To restore an Edge Transport Server by using the ImportEdgeConfig.ps1 script
  1. Perform a clean installation of the Edge Transport server that has the same server name as the server you are restoring.
  2. Copy the ImportEdgeConfig.ps1 script to the root folder of your user profile on the server that you are restoring.
  3. Validate the configuration file and create an answer file that will provide server-specific information when the file is imported by running the following command in the Exchange Management Shell:
./importedgeconfig.ps1 -cloneConfigData "C:\CloneConfigData.xml" -isImport $false -CloneConfigAnswer "C:\CloneConfigAnswer.xml"
  1. Open the answer file and modify any settings that are invalid for the server. If no modifications are required, the answer file will have no entries. Save your changes.
  2. Import the Edge Transport server configuration by using the ImportEdgeConfig.ps1 script. Run the following command in the Exchange Management Shell:
./importedgeconfig.ps1 -cloneConfigData "C:\CloneConfigData.xml" -isImport $true -CloneConfigAnswer "C:\CloneConfigAnswer.xml"


Note:
Replace C:\CloneConfigData.xml with the full path of the intermediate XML template that will be used by the ImportEdgeConfig.ps1 script. Replace C:\CloneConfigAnswer.xml with the full path of the XML answer file.


The confirmation message, "Importing Edge configuration information succeeded," appears.
  1. Run the Edge Sync process to replicate Active Directory information to ADAM and perform regularly scheduled synchronization.

How to configure Edge to Sync with Hub Transport

1) In Exchange MSH, type:New-EdgeSubscription -FileName "C:\EdgeSubscriptionInfo.xml"
2) Transfer the xml file to a thumb drive and copy to the Hub Transport Server

3) In Hub Transport Server, Open the Exchange Management Console. Expand Organization Configuration, select Hub Transport, and then in the result pane, click the Edge Subscriptions tab.

4) In the action pane, click New Edge Subscription. The New Edge Subscription Wizard starts.

5) On the New Edge Subscription page, in the Active Directory Site: drop-down list, select the Active Directory site where you want the Hub Tranport to sync with Edge.
NOTE: The Hub Transport to sync should be in the site selected
6) On the New Edge Subscription page, click Browse. Locate the Edge Subscription file to import. Select the file, and then click Open.

7) On the New Edge Subscription page, click New.

8) On the Completion page, click Finish.

Edge Transport will only sync with the Hub Transport every 4 hours. To force its sync, type the following command in Hub Transport:
Start-EdgeSynchronization

SCW

The Edge Transport server role in Exchange 2007 performs a number of functions including routing messages between the Exchange organization and the internet, as well as providing Anti-virus and Anti-Spam protection. It is meant to be installed on the edge of the corporate network, or on a screened subnet. This location makes it more vulnerable than the servers on your protected network. This means you are required to do a little more work to secure the server itself. The Security Configuration Wizard in Windows Server 2003 SP1 is an ideal tool to use to reduce the attack surface of your Edge Transport server(s).
The Security Configuration Wizard (SCW) is a new feature in Windows Server 2003 that is part of Service Pack 1. It is an easy to use wizard that allows you to quickly create and apply security templates to servers. Being wizard based, it is very user friendly and has some great features to help you secure, not only your Edge Transport servers, but all your Windows 2003 SP1 servers. Some of my favorite features include the ability to copy the XML file to other servers and apply them throughout the network and the ability to rollback changes in case you went overboard with the restrictions and broke something. If you are unfamiliar with this new tool be sure to check the links at the end of this article for more information.

Installing SCW

Installing the Security Configuration Wizard is pretty straight-forward. Open up Add/Remove Programs, select Add/Remove Windows Components and scroll down the list until you see Security Configuration Wizard (see Figure 1). Check the box and click Next to complete the installation.


                                              Figure 1: Install Security Configuration Wizard
That takes care of the basic installation. For Exchange 2007 servers there is one more step. You must register the Exchange2007.xml & Exchange2007Edge.xml files for SCW to be able to load and apply the rules. If you are planning on using SCW only to configure the Edge Transport Server, you only need to use the Exchange2007Edge.xml, but if you are running SCW to configure multiple Exchange Servers, I would recommend registering both.
Begin by browsing to C:\Program Files\Microsoft\Exchange Server\Scripts and locate a file called Exchange2007.XML & Exchange 2007Edge.XML. Copy these files to %windir%\Security\msscw\kbs. Once complete open up a command prompt. From the command line change directories to %windir%\System32 and run the following command:
SCWCMD Register /kbname:MSExchangeEdge kbfile:%windir%\security\msscw\kbs\Exchange2007Edge.xml
SCWCMD Register /kbname:MSExchange kbfile:%windir%\security\msscw\kbs\Exchange2007.xml (Not required unless running SCW remotely to configure multiple Exchanger Servers)




                                         Figure 2: Register Exchange 2007 SCW Database
Believe it or not, that was the hard part!

Running SCW

With all that out of the way we are ready to run SCW and lock down our Edge Transport Server. To launch SCW, click Start > Programs > Administrative Tools > Security Configuration Wizard. You will be welcomed with the Welcome to the Security Configuration Wizard page at which you can click next to begin. On the next screen you will be asked to create, edit, apply or rollback a configuration. The last one is a lifesaver if you happen to mess up and things stop working. We are starting with a base system so choose create a new security policy (see Figure 3) and click Next.


                                                   Figure 3: Create New Policy
The next screen allows you to choose a server for your base server. In this case I am going to choose the local server, but you do have the option of doing this for remote servers as well. Once you click next the SCW will configure the Security Configuration Database. Once this is complete, click on View Configuration Database to open up SCW Viewer and then scroll down the list. Everything you see here includes a custom template to begin securing that particular server. If you successfully registered the XML file you should see some Exchange 2007 entries including Exchange 2007 Edge Transport. By clicking of the triangle next to the entry you can expand it for more information (see Figure 4).




                                                       Figure 4: SCW Viewer
Close SCW Viewer and click next to proceed. The first set of configuration options come under the Role-Based Server Configuration. Click Next and under Select Server Roles choose Exchange 2007 Edge Transport (see Figure 5) and uncheck any roles not being performed (File Server for example) then click Next again.




                                                    Figure 5: Select Server Roles
Click next again on the Select Client Features page, the Select Administrator and Other Option page and the Select Additional Services Page. Those selections will be chosen for you based on the role you chose earlier and any services required. Next you will be asked if you wish to change the startup of unspecified services. Unspecified services are defined as services not listed in the database or not yet installed. If you set this to disabled and then install a new application that installs a service, that service would be set to disabled and require you to enable it manually. The choice is yours; I set it to disabled and then enabled them manually. The next screen shows you what changes to the services will be made. You can review this and if one of those unspecified services shows up here as disabled, you can enable it.
Once you click next again, the Network Security portion of the wizard starts. Here is where access restrictions and ports are configured and there is some customization required here so click next once again to continue. The Open Ports and Approve Applications page requires a few modifications. We first need to open TCP/UDP 25 (SMTP) and TCP 50389 (LDAP for ADAM) and TCP 50636 (LDAP/SSL for ADAM) to allow ADAM to communicate with Active Directory. To do this simply click on Add and under the Port Number tab enter the port number and check of TCP, UDP or both. You will need to add the following three ports.  (Note: Exchange 2007 final does not include TCP/UDP Port 25 in its SCW Configuration unlike the beta version)


Port NumberProtocol


50389TCP
50636TCP
25TCP/UDP


Table 1
Once those two have been added (see Figure 6) there is some additional configuration that needs to be performed before we can proceed.


                                                Figure 6: Additional Ports for ADAM
The next thing we want to do is restrict the interface that some of the ports can communicate through. Your Edge Transport server should have two network interfaces, one internal and one external. The goal here is to prevent LDAP traffic to go through the external interface which would not be very secure!
Select 25 (SMTP) and click on Advanced. Click on the Local Interface Restrictions tab and then choose Over the following local interfaces and check both the internal and external interfaces. Repeat for the two ports you created, 50389 and 50636, and for 3389 (Remote Desktop Protocol) EXCEPT only choose the internal interface (see Figure 7).
Additionally, you made add remote address restrictions to limit which internal addresses may communicate via ADAM to your Edge Server. This can be performed by clicking on the Remote Address Restrictions tab in the Advanced Port Configuration window.




                                                   Figure 7: Local Interface Restrictions
Click Next and verify the ports and interfaces are correct as shown in Figure 8.




                                                     Figure 8: Confirm Port Configuration
Click Next again to proceed. The next section is the Registry Settings portion of the wizard. Check the box next to Skip this section and click Next. You can also skip the Audit Policy section of the wizard. That completes the creation of the policy! Not so hard was it! Before we get carried away let's save the configuration.
Clicking Next will take you to the Security Policy File Name page which allows you to name the policy and offer a description of what the policy does, some of the custom settings etc… You can also view the settings with the SCW Viewer by clicking on View Settings. Enter the name of the policy and click Next. Your final choice will be to apply the policy now, or leave things as is and apply it later. Leave the default of Apply Later and click Next one last time. You are at the end of the wizard and clicking Finish will close it out. You are now ready to apply the policy to your Edge Transport server or servers.

Applying the Policy

Applying the policy couldn’t be simpler. Launch SCW and make your way to the second screen. This time choose Apply an existing security policy and click Browse to locate the policy (see Figure 9).


                                                  Figure 9: Apply Existing Policy
Next choose the server you wish to apply the policy too and click Next twice to apply the policy (see Figure 10). Once it is complete click Next and then click Finish. You have now applied the policy and locked down your server. Copy the XML file to your other Edge Transport servers and apply it to them as well.




                                               Figure 10: Applying the Security Policy

Conclusion

The last thing you should do is test that everything is still functional. After that sleep easier knowing your Edge Transport has a reduced attack surface that will go a long way to keeping it your server!

Anti-Spam Solutions

The Edge Transport Server is implemented for message hygiene purposes. This means that its primary purpose is offering anti-spam and anti-virus functionality. Anti-spam is by default enabled on the Edge Transport Server, anti-virus is implemented by means of installing the Forefront Security for Exchange product.
Anti-spam is separated into five different layers, which are processed in the following order:
  1. Connection Filtering;
  2. Sender Filtering;
  3. Recipient Filtering;
  4. Sender ID Filtering;
  5. Content Filtering.
Where both Connection Filtering and Content Filtering separated into layers as well:


 Figure 7: Graphical representation of the anti-spam layering in the Edge Transport Server
A message arrives (from the Internet) and will be delivered at the Edge Transport Server. When the messages successfully pass all filters it is delivered to the internal Hub Transport Server.
The connection filtering is the 1st layer of defense, and the most important one. When an SMTP host from the Internet tries to deliver a message at the Edge Transport Server the connection is validated first. If the IP address of the sending SMTP host on the IP Allow List the connection is accepted and the sending host can start delivering the message. If the IP address of the sending host is either on the IP Block List or on the RBL (Real Time Block list) the connection is refused. This is a very important step, and most likely the most important step since most spam generating servers are on the RBL. And you don’t want these messages to be delivered at all since they consume quite a lot of resources of your Exchange servers. If you have your Edge Transport Server up-and-running for some time and start monitoring, you’ll see that 97% of all inbound SMTP connections are refused by the connection filtering!
The second step is Sender Filtering. An Exchange administrator can determine if there are any external senders that are allowed or denied sending messages to your Exchange environment. Related to this is Recipient Filtering. If Recipient Filtering is enabled senders can only send messages to existing recipients in your Exchange organization. So, messages to iliketoknowyou@inframan.nl will not be delivered.
Sender ID filtering is also known as the “Sender ID Framework” or the “SPF Framework”. This is a bit like a DNS reverse lookup. By performing a Sender ID check a special DNS query is performed and an SPF record is checked. This SPF record (which is a TXT record in DNS) is configured with the names and IP address of the sending SMTP server. So, when a message is processed, the Edge Transport Server will check this SPF record and will compare the registered IP address with the source IP address of the message. If it doesn’t match it is most likely that another, untrusted SMTP Server is sending the message on behalf of somebody else. And thus most likely spam.
The last step is content filtering. With content filtering the message is inspected for certain content, or keywords in the message, both in the subject line as well as the body of the message. You can configure specific keywords, such as “viagra”, “online casino”, “I like to know you” etc. The content filtering will use this list of keywords when filtering. It takes about a week of monitoring your Exchange environment for generating an exhausting list of keywords you have to use in the content filtering. The content filtering also generates a rating to messages, known as the SCL (Spam Confidence Level). This is rating between 1 and 9 where a level 1 means “most likely to be legitimate e-mail” while level 9 means “most likely to be spam e-mail”.
Part of the content filtering is a quarantaine mailbox. Depending on the SCL rating you can have suspicious e-mail delivered in a quarantaine mailbox. While monitoring the quarantaine mailbox (manual process!) you can decide to deliver the actual message (false positive) or finally delete the message (when it turns out to be spam).
Attachment filtering is not really a part of the anti-spam solution in the Edge Transport Server, although its functionality can be extremely important. Attachment filtering is enabled by manually activating the attachment filter agent. Open an Exchange Management Shell and enter the following command:
Enable-TransportAgent –Identity “Attachment Filter Agent”

No comments:

Post a Comment