The Exchange 2007 SP1 Internet-facing Hub Transport server will offer antivirus and anti- spam protection similar to the security provided by the Edge server role. In this topic, you will configure the Internet-facing Hub Transport server.
To establish Internet mail flow directly through a Hub Transport server, use an account delegated with Exchange Organization Administrator role privilege.
- Allow Anonymous Connections on Default Receive
- Configure an Internet Send Connector
- Create DNS Records for E-mail Routing
- Install the Anti-Spam Agents
- Configure Anti-Spam Settings
- Configure Anti-Spam Automatic Updates
- Disable Microsoft Exchange EdgeSync Service
- Configure Forefront Security for Exchange Server
Before you start this procedure, verify that the following prerequisites are met:
- Register MX resource records for all accepted domains in a
public domain name system (DNS) server.
- Configure network gateways to route SMTP traffic to and from
the Internet-facing Hub Transport server.
Allow Anonymous Connections on Default Receive Connector
Procedure W03-DWHE.70: To allow anonymous connections on default Receive Connector
Log on to EXHUBEXT01 as Fabrikam\administrator.
Open the Exchange Management Console, expand Server Configuration, and then select Hub Transport.
In the center pane, select EXHUBEXT01.
Set properties for Default EXHUBEXT01 as follows:
- On the Permission Groups tab, add the Anonymous
users permissions group to the default receive connector on
- On the Authentication tab, clear the Integrated
Windows Authentication check box.
- On the Permission Groups tab, add the Anonymous users permissions group to the default receive connector on EXHUBEXT01.
Configure an Internet Send Connector
In this procedure you will create a Send Connector which will be used to route e-mail to the Internet.
Procedure W03-DWHE.71: To configure an Internet Send Connector
On EXHUBEXT01, open the Exchange Management Shell.
Run the following command:
New-SendConnector -Name "Internet Send Connector" -Usage Internet -AddressSpaces "*" -SourceTransportServers "EXHUBEXT01" -DNSRoutingEnabled:$true -UseExternalDNSServersEnabled:$true
To verify the settings, open the Exchange Management Console, expand Organization Configuration, and then click Hub Transport.
On the Send Connectors tab, verify that the new Internet Send Connector is present. Right-click Internet Send Connector, and then click Properties.
On the General tab, you may want to modify the advertised FQDN that is sent in HELO/EHLO commands in SMTP. By default, it is set to <hub server name>.<domain>.com (for example, EXHUBEXT01.fabrikam.com). Change it to the value you want to have advertised; for example, mail.fabrikam.com.
Create DNS Records for E-mail Routing
Procedure W03-DWHE.72: To create the smtp Host (A) record
Open the DNS MMC on DNS01.
Create a new host (A) named smtp for the forward lookup zone consolidatedmessenger.com. During the process, you will type the external interface (static) IP address for the default Receive Connector on EXHUBEXT01 that you configured in a previous procedure.
Install the Anti-Spam Agents
We recommend installing the anti-spam agents on the Internet-facing Hub Transport server role by using the Install-AntiSpamAgents.ps1 script. This script is located in the <system drive>: \Program Files\Microsoft\Exchange Server\Scripts folder. After you run this script, all the anti-spam agents are installed and enabled, and the Anti-spam tab is available in the Exchange Management Console for Hub Transport servers.
Procedure W03-DWHE.73: To install the anti-spam agents
Open the Exchange Management Shell on EXHUBEXT01.
Change directory to Program Files/Microsoft/Exchange Server/Scripts.
Run the following command:
After you run this command, restart the Microsoft Exchange Transport service, and restart the Exchange Management Console. After you run this command, restart the Microsoft Exchange Transport service, and restart the Exchange Management Console.
The Install-AntispamAgents.psi script installs and enables the following anti-spam features:
- Connection filtering
- Content filtering
- Sender ID
- Sender filtering
- Recipient filtering
- Sender reputation
|Attachment filtering is an antivirus feature that is not enabled or installed. Attachment filtering only runs on the Edge Transport server. However, the file filtering functionality that is provided by Microsoft Forefront Security for Exchange Server includes advanced features that are unavailable in the default Attachment Filter agent that is included with Microsoft Exchange 2007 SP1 Standard Edition. Forefront Security for Exchange is fully supported on the Hub Transport server role. For more information, see Microsoft Forefront Security for Exchange Server User Guide.|
Configure Anti-Spam Settings
Procedure W03-DWHE.74: To configure anti-spam settings
After you have restarted the Exchange Management Console, expand Organization Configuration, and then click Hub Transport.
On the Anti-spam tab, configure the various anti-spam for the hub server based on your needs.
|See Managing Anti-Spam and Antivirus Features for more information.|
Configure Anti-Spam Automatic Updates
Because the data that spam signatures provide is especially time-sensitive, it is a best practice to configure the anti-spam Automatic Updates, sometimes also known as Forefront Anti-spam Automatic Updates.
Forefront Anti-spam Automatic Updates use the Automatic Updates client as a proxy to request and download updates from the Microsoft Update Web site. Forefront Anti-spam Automatic Updates only requests updates for content filtering, the Microsoft IP Reputation Service, and spam signature data.
Forefront Anti-spam Automatic Updates requires a one-time opt-in process. You must opt in to Microsoft Update on each computer where you run the Forefront Anti-spam Automatic Updates.
The schedule that you set for the Automatic Updates client that is used by the Windows operating system, does not define the frequency of Forefront Anti-spam Automatic Updates. By using the Exchange Management Console or the Exchange Management Shell, you can set Forefront Anti-spam Automatic Updates to download and install automatically.
For more information about anti-spam automatic updates, see How to Configure Anti-Spam Automatic Updates.
Procedure W03-DWHE.75: To configure anti-spam automatic updates
Log on to EXHUBEXT01 as a member of the local Administrators group.
To enable anti-spam Automatic Updates if the destination computer is already opted in to Microsoft Update, run the following command:
Enable-AntispamUpdates -Identity SERVER01 -IPReputationUpdatesEnabled $True -UpdateMode Automatic -SpamSignatureUpdatesEnabled $True
To enable anti-spam Automatic Updates and opt in to Microsoft Update, run the following command:
Enable-AntispamUpdates -Identity SERVER01 -IPReputationUpdatesEnabled $True -MicrosoftUpdate RequestNotifyDownload -UpdateMode Automatic -SpamSignatureUpdatesEnabled $True
Disable Microsoft Exchange EdgeSync Service
Procedure W03-DWHE.76: To disable Microsoft Exchange EdgeSync service
Log on to EXHUBEXT01.
Stop and disable the Microsoft Exchange EdgeSync service.
Configure Forefront Security for Exchange Server
Refer to the Forefront Security for Exchange Server documentation, and your Antivirus Scanners, Scanner Updates, and Scanning / Filtering options per your security requirements.