In Microsoft Hosted Messaging and Collaboration version 4.5, the reference architecture is a three-tiered, four-zone approach. This approach to networking has been used by telecommunication companies for data services to reduce the attack surface and secure data access.

The zones are as follows:

  • Zone 0 - "Boundary"
    • The area of the network that is closest to the Internet. Generally, this security zone contains the boundary routers, intrusion detection, first layer of denial of service (DoS) blocking, and boundary firewalls.
    • Secure Sockets Layer (SSL) and initial access/certificate validation may be located at this layer. Network Operation Center (NOC) services may be logically housed in this zone.
    • In Hosted Messaging and Collaboration version 4.5, no solution servers in this zone.
  • Zone 1 - "Edge"
    • This zone contains those servers and services that provide first level authentication, and load balancing across Zone 1 servers and services.
    • No domain membership with the Zone 3 Active Directory service and no direct connection to servers in Zone 3 for security purposes. This reduces the attack surface.
    • A "Secure by Default" approach. Locked down servers in this zone.
    • Communication via secure protocols between servers in Zone 1 and Zone 2.
  • Zone 2 - "Proxy"
    • Servers in this zone have domain membership with Active Directory in Zone 3.
    • Relays or "proxies" authentication requests between Zone 1 and Zone 3.
  • Zone 3 - "Datacenter"
    • Most secure area of the network.
    • Data repository servers reside in this zone.
    • No direct access to these servers. Access is via proxies in Zone 2.