The Exchange 2007 SP1 Internet-facing Hub Transport server will offer antivirus and anti- spam protection similar to the security provided by the Edge server role. In this topic, you will configure the Internet-facing Hub Transport server.

To establish Internet mail flow directly through a Hub Transport server, use an account delegated with Exchange Organization Administrator role privilege.

Tasks

  1. Allow Anonymous Connections on Default Receive Connector
  2. Configure an Internet Send Connector
  3. Create DNS Records for E-mail Routing
  4. Install the Anti-Spam Agents
  5. Configure Anti-Spam Settings
  6. Configure Anti-Spam Automatic Updates
  7. Disable Microsoft Exchange EdgeSync Service
  8. Configure Forefront Security for Exchange Server

Prerequisites

Before you start this procedure, verify that the following prerequisites are met:

  • Register MX resource records for all accepted domains in a public domain name system (DNS) server.
  • Configure network gateways to route SMTP traffic to and from the Internet-facing Hub Transport server.

Allow Anonymous Connections on Default Receive Connector

Procedure W03-DWHE.70: To allow anonymous connections on default Receive Connector

  1. Log on to EXHUBEXT01 as Fabrikam\administrator.

  2. Open the Exchange Management Console, expand Server Configuration, and then select Hub Transport.

  3. In the center pane, select EXHUBEXT01.

  4. Set properties for Default EXHUBEXT01 as follows:

    • On the Permission Groups tab, add the Anonymous users permissions group to the default receive connector on EXHUBEXT01.
    • On the Authentication tab, clear the Integrated Windows Authentication check box.

Configure an Internet Send Connector

In this procedure you will create a Send Connector which will be used to route e-mail to the Internet.

Procedure W03-DWHE.71: To configure an Internet Send Connector

  1. On EXHUBEXT01, open the Exchange Management Shell.

  2. Run the following command:

      Copy Code
    New-SendConnector -Name "Internet Send Connector" -Usage Internet -AddressSpaces "*" -SourceTransportServers "EXHUBEXT01" -DNSRoutingEnabled:$true -UseExternalDNSServersEnabled:$true
    
  3. To verify the settings, open the Exchange Management Console, expand Organization Configuration, and then click Hub Transport.

  4. On the Send Connectors tab, verify that the new Internet Send Connector is present. Right-click Internet Send Connector, and then click Properties.

  5. On the General tab, you may want to modify the advertised FQDN that is sent in HELO/EHLO commands in SMTP. By default, it is set to <hub server name>.<domain>.com (for example, EXHUBEXT01.fabrikam.com). Change it to the value you want to have advertised; for example, mail.fabrikam.com.

Create DNS Records for E-mail Routing

Procedure W03-DWHE.72: To create the smtp Host (A) record

  1. Open the DNS MMC on DNS01.

  2. Create a new host (A) named smtp for the forward lookup zone consolidatedmessenger.com. During the process, you will type the external interface (static) IP address for the default Receive Connector on EXHUBEXT01 that you configured in a previous procedure.

Install the Anti-Spam Agents

We recommend installing the anti-spam agents on the Internet-facing Hub Transport server role by using the Install-AntiSpamAgents.ps1 script. This script is located in the <system drive>: \Program Files\Microsoft\Exchange Server\Scripts folder. After you run this script, all the anti-spam agents are installed and enabled, and the Anti-spam tab is available in the Exchange Management Console for Hub Transport servers.

Procedure W03-DWHE.73: To install the anti-spam agents

  1. Open the Exchange Management Shell on EXHUBEXT01.

  2. Change directory to Program Files/Microsoft/Exchange Server/Scripts.

  3. Run the following command:

      Copy Code
    .\Install-AntispamAgents.ps1
    
  4. After you run this command, restart the Microsoft Exchange Transport service, and restart the Exchange Management Console. After you run this command, restart the Microsoft Exchange Transport service, and restart the Exchange Management Console.

The Install-AntispamAgents.psi script installs and enables the following anti-spam features:

  • Connection filtering
  • Content filtering
  • Sender ID
  • Sender filtering
  • Recipient filtering
  • Sender reputation
Note:
Attachment filtering is an antivirus feature that is not enabled or installed. Attachment filtering only runs on the Edge Transport server. However, the file filtering functionality that is provided by Microsoft Forefront Security for Exchange Server includes advanced features that are unavailable in the default Attachment Filter agent that is included with Microsoft Exchange 2007 SP1 Standard Edition. Forefront Security for Exchange is fully supported on the Hub Transport server role. For more information, see Microsoft Forefront Security for Exchange Server User Guide.

Configure Anti-Spam Settings

Procedure W03-DWHE.74: To configure anti-spam settings

  1. After you have restarted the Exchange Management Console, expand Organization Configuration, and then click Hub Transport.

  2. On the Anti-spam tab, configure the various anti-spam for the hub server based on your needs.

Note:
See Managing Anti-Spam and Antivirus Features for more information.

Configure Anti-Spam Automatic Updates

Because the data that spam signatures provide is especially time-sensitive, it is a best practice to configure the anti-spam Automatic Updates, sometimes also known as Forefront Anti-spam Automatic Updates.

Forefront Anti-spam Automatic Updates use the Automatic Updates client as a proxy to request and download updates from the Microsoft Update Web site. Forefront Anti-spam Automatic Updates only requests updates for content filtering, the Microsoft IP Reputation Service, and spam signature data.

Forefront Anti-spam Automatic Updates requires a one-time opt-in process. You must opt in to Microsoft Update on each computer where you run the Forefront Anti-spam Automatic Updates.

The schedule that you set for the Automatic Updates client that is used by the Windows operating system, does not define the frequency of Forefront Anti-spam Automatic Updates. By using the Exchange Management Console or the Exchange Management Shell, you can set Forefront Anti-spam Automatic Updates to download and install automatically.

For more information about anti-spam automatic updates, see How to Configure Anti-Spam Automatic Updates.

Procedure W03-DWHE.75: To configure anti-spam automatic updates

  1. Log on to EXHUBEXT01 as a member of the local Administrators group.

  2. To enable anti-spam Automatic Updates if the destination computer is already opted in to Microsoft Update, run the following command:

      Copy Code
    Enable-AntispamUpdates -Identity SERVER01 -IPReputationUpdatesEnabled $True -UpdateMode Automatic -SpamSignatureUpdatesEnabled $True
    

    To enable anti-spam Automatic Updates and opt in to Microsoft Update, run the following command:

      Copy Code
    Enable-AntispamUpdates -Identity SERVER01 -IPReputationUpdatesEnabled $True -MicrosoftUpdate RequestNotifyDownload -UpdateMode Automatic -SpamSignatureUpdatesEnabled $True
    

Disable Microsoft Exchange EdgeSync Service

Procedure W03-DWHE.76: To disable Microsoft Exchange EdgeSync service

  1. Log on to EXHUBEXT01.

  2. Stop and disable the Microsoft Exchange EdgeSync service.

Configure Forefront Security for Exchange Server

Refer to the Forefront Security for Exchange Server documentation, and your Antivirus Scanners, Scanner Updates, and Scanning / Filtering options per your security requirements.