module 9: managing routing
DESCRIPTION
Module 9: Managing Routing. Video. Overview. Explaining How Message Routing Works in an Exchange Organization Configuring Routing in an Exchange Organization Explaining Internet Connectivity Concepts and Protocols Managing Connectivity to the Internet Discussion: Managing Routing. - PowerPoint PPT PresentationTRANSCRIPT
Module 9: Managing Routing
Overview
Explaining How Message Routing Works in an Exchange Organization
Configuring Routing in an Exchange Organization
Explaining Internet Connectivity Concepts and Protocols
Managing Connectivity to the Internet
Discussion: Managing Routing
Video
Lesson: Explaining How Message Routing Works in an Exchange Organization
What Are Routing Groups?
What Are Routing Group Connectors?
When Is More Than One Routing Group Necessary?
Multimedia: How Messages are Routed Within and Between Routing Groups
What Are Routing Groups?
Routing groups are groups of servers running Exchange that are connected over permanent network links
The routing group master tracks and maintains routing for all the servers in the routing group
Message routing in an Exchange organization: Can occur on the same server or among servers
within a routing group Occurs between routing groups by using
connectors
Routing Group A
Routing Group B
RoutingGroup Master
RoutingGroup Master
What Are Routing Group Connectors?
Connectors are components that link routing groups so that messages travel reliably and efficiently between groups
You can create one or more connectors and then configure: Message connection schedules Message priority Message content Message size limits Message delivery restrictions Cost Public folder referrals
Connector
Routing Group A
Routing Group B
When Is More Than One Routing Group Necessary?
Use just one routing group when theservers running Exchange:Use just one routing group when theservers running Exchange:
Have permanent and reliable connections to each other
Belong to the same Active Directory forest
Connect consistently and reliably to the routing group master
Have permanent and reliable connections to each other
Belong to the same Active Directory forest
Connect consistently and reliably to the routing group master
Multiple routing groups may be necessary if any of these apply:Multiple routing groups may be necessary if any of these apply:
Network connections are slow or intermittent
The network is unreliable or unstable
Message transmission is complex and indirect
Message transmission must be scheduled
Public folder referrals must be controlled
Network connections are slow or intermittent
The network is unreliable or unstable
Message transmission is complex and indirect
Message transmission must be scheduled
Public folder referrals must be controlled
Routing Group A
Routing Group B
Multimedia: How Messages Are Routed Within and Between Routing Groups
This presentation describes:This presentation describes:
How messages are routed within a routing group
How messages are routed between routing groups
How messages are routed within a routing group
How messages are routed between routing groups
Lesson: Configuring Routing in an Exchange Organization
The Connectors That Exchange Supports
Considerations for Using Routing Group Connectors
Considerations for Using SMTP Connectors
Considerations for Using X.400 Connector
How to Create a Routing Group
How to Create a Routing Group Connector
How to Monitor Server, Connector, and Resource Status
The Connectors That Exchange Supports
The simplest to configure, this is the recommended tool for connecting routing groups that are located in the same Exchange organization
The simplest to configure, this is the recommended tool for connecting routing groups that are located in the same Exchange organization
Routing Group
connector
Establishes an SMTP messaging route between two routing groups or between a routing group and an SMTP host
Establishes an SMTP messaging route between two routing groups or between a routing group and an SMTP host
SMTP connector
Establishes an X.400 messaging route between two routing groups or between a routing group and an X.400 system
Establishes an X.400 messaging route between two routing groups or between a routing group and an X.400 system
X.400 connector
Routing Group connectors:Routing Group connectors:
Can be configured to use zero, one, or multiple local bridgehead servers
Must be used in conjunction with TLS or a security policy to provide security
Must resolve the IP address of the target bridgehead server
Can be configured to use zero, one, or multiple local bridgehead servers
Must be used in conjunction with TLS or a security policy to provide security
Must resolve the IP address of the target bridgehead server
Considerations for Using Routing Group Connectors
Routing Group Connector
BridgeheadServer
BridgeheadServer
Routing Group B
BridgeheadServer
Routing Group A
Considerations for Using SMTP Connectors
SMTP Connector
Dial-up connection
Routing Group A
Routing Group B
SMTP Connector
Exchange Server Site
SMTP connectors:SMTP connectors:Can be used to identify multiple local bridgehead servers
Can be configured to use outbound TLS
Must resolve the target bridgehead server using DNS
Must configure with address spaces
Can be used to identify multiple local bridgehead servers
Can be configured to use outbound TLS
Must resolve the target bridgehead server using DNS
Must configure with address spaces
IMS
Considerations for Using the X.400 Connector
X.400Connectors
Cost = 20
Cost = 10
X.400 connectors:X.400 connectors:
Require you to configure an MTA service transport stack for the connector
Do not support multiple bridgehead servers
Require address space to control message routes
Require you to configure an MTA service transport stack for the connector
Do not support multiple bridgehead servers
Require address space to control message routes
Routing Group A
Routing Group B
Practice: Deciding on the Best Way to Connect Routing Groups
Read the scenarios
Determine possible solutions
Discuss your solutions with the class
Read the scenarios
Determine possible solutions
Discuss your solutions with the class
11
22
33
How to Create a Routing Group
To create a routing group:To create a routing group:
In the Exchange System Manager console tree, browse to Routing Groups
Right-click Routing Groups, click New, and then click Routing Group
In the Exchange System Manager console tree, browse to Routing Groups
Right-click Routing Groups, click New, and then click Routing Group
11
22
Routing Group AAdministrator
create
Practice
How to Create a Routing Group Connector
Practice
To create a routing group connector:To create a routing group connector:
In the Exchange System Manager console tree, browse to Connectors
Right-click Connectors, click New, and then click Routing Group Connector
In the Properties dialog box, specify the local and remote bridgehead servers
Configure any delivery options, delivery restrictions, or content restrictions
In the Exchange System Manager console tree, browse to Connectors
Right-click Connectors, click New, and then click Routing Group Connector
In the Properties dialog box, specify the local and remote bridgehead servers
Configure any delivery options, delivery restrictions, or content restrictions
11
22
33
44
Administrator
create
How to Monitor Server, Connector, and Resource Status
To monitor server, connector, and resource status:To monitor server, connector, and resource status:
In the Exchange System Manager console tree, expand Tools, expand Monitoring and Status, and then click Status
In the details pane, view the status of servers, connectors, and resources
In the Exchange System Manager console tree, expand Tools, expand Monitoring and Status, and then click Status
In the details pane, view the status of servers, connectors, and resources
11
22
Practice Available
AdministratorAvailable
Available
Unreachable
Lesson: Explaining Internet Connectivity Concepts and Protocols
How an SMTP Connection Works
Common SMTP Commands and Reply Codes
How an ESMTP Connection Works
Common ESMTP Commands
What Are MX Records?
How to Configure DNS to Support an Exchange Organization
How an SMTP Connection Works
SMTP Sender(Client)
SMTP Sender(Server)
Connection InitiatedConnection Initiated
220 <FQDN> Ready220 <FQDN> ReadyHELO <FQDN>HELO <FQDN>
250 <FQDN> Hello250 <FQDN> HelloMAIL FROM:<sender>MAIL FROM:<sender>
250 <sender> Sender OK250 <sender> Sender OKRCPT TO:<sender>RCPT TO:<sender>
250 <sender>250 <sender>DATADATA
354 Start mail input…354 Start mail input…Sending dataSending data
221 <FQDN> Service closing …221 <FQDN> Service closing …QUITQUIT
Common SMTP Commands and Reply Codes
Command DescriptionHELO fqdn Identifies the sending SMTP host MAIL FROM:<sender> Identifies the sender of the message
RCPT TO:<recipient> Identifies the recipient of the message
DATA Indicates that the sending host is ready to send the messageRSET Aborts the current mail transactionVRFY <string> Allows the sending host to verify that the recipient is validHELP Lists the SMTP commands supported on the receiving hostQUIT Disconnects the TCP session TURN Triggers the recipient server to send queued messages
Connection Supports ESMTP
How an ESMTP Connection Works
A protocol that extends SMTP by providing additional capabilitiesA protocol that extends SMTP by providing additional capabilities
What is ESMTP?
Connection InitiatedConnection Initiated
220 <FQDN> Ready220 <FQDN> ReadyEHLO <FQDN>EHLO <FQDN>
250 <FQDN> Hello250 <FQDN> Hello
Returns list of supported extensionsReturns list of supported extensionsSMTP Sender
(Client)SMTP Sender
(Server)Connection Does Not Support ESMTP
Connection InitiatedConnection Initiated220 <FQDN> Ready220 <FQDN> Ready
EHLO <FQDN>EHLO <FQDN>500 Unrecognized command500 Unrecognized command
Common ESMTP Commands
Command Description
ATRN Authenticated TURN runs only if the session has been authenticated
ETRN Similar to TURN, but it specifies the remote host
PIPELINING Allows SMTP commands to be sent in batches
CHUNKING Enables the sending of large MIME messages more efficiently X-LINK2STATE Specifies support for the Exchange links state command verb
STARTTLS Provides an SSL connection between the SMTP client and server
AUTH SASL mechanism
Provides a form of SASL SMTP authentication that uses Kerberos and NTLM
Practice: Explaining Internet Connectivity Concepts and Protocols
Read the scenarios
Determine possible solutions
Discuss your solutions with the class
Read the scenarios
Determine possible solutions
Discuss your solutions with the class
11
22
33
What Are MX Records?
An MX record is a DNS record that tells other computers your e-mail server IP address and name so that you can receive SMTP e-mail
When an SMTP host sends an e-mail message to another SMTP host, DNS resolves the domain name of the receiving host to its TCP/IP address by using MX records
A typical company has multiple MX records registered in DNS to provide fault tolerance if an SMTP host becomes unavailable
An MX record is a DNS record that tells other computers your e-mail server IP address and name so that you can receive SMTP e-mail
When an SMTP host sends an e-mail message to another SMTP host, DNS resolves the domain name of the receiving host to its TCP/IP address by using MX records
A typical company has multiple MX records registered in DNS to provide fault tolerance if an SMTP host becomes unavailable
How to Configure DNS to Support an Exchange Organization
To configure DNS to support an Exchange organization:To configure DNS to support an Exchange organization:
Configure Exchange to meet your SMTP requirements
Provide DNS with the MX records necessary to support your SMTP address space Add MX records to each DNS namespace that point to your Exchange SMTP hosts
Configure Exchange to meet your SMTP requirements
Provide DNS with the MX records necessary to support your SMTP address space Add MX records to each DNS namespace that point to your Exchange SMTP hosts
11
22
33
Practice
Lesson: Managing Connectivity to the Internet
Steps You Can Take to Control Internet E-Mail Access
How to Create and Configure an SMTP Connector
Methods for Securing SMTP Traffic
How to Restrict User Accounts from Sending Internet E-Mail
How to Configure SMTP Relays in Exchange
When to Use and Restrict Open Relaying in Exchange
How to Prevent or Restrict Open Relaying in Exchange
How to Connect Exchange Servers to the Internet by Using Routing and Remote Access
How to Configure Exchange to Retrieve E-Mail from an ISP
How to Identify Problematic E-Mail Domains
Steps You Can Take to Control Internet E-Mail Access
You can:You can:
Create an additional virtual server and configure an SMTP connector to use it as a bridgehead server
Limit the scope of the SMTP connector to the routing group
Configure the credentials on an SMTP connector if the remote SMTP server requires authentication
Configure the SMTP connector to only receive e-mail or send e-mail
Configure Internet message formats and message delivery parameters
Create an additional virtual server and configure an SMTP connector to use it as a bridgehead server
Limit the scope of the SMTP connector to the routing group
Configure the credentials on an SMTP connector if the remote SMTP server requires authentication
Configure the SMTP connector to only receive e-mail or send e-mail
Configure Internet message formats and message delivery parameters
The default SMTP virtual server connects Exchange to the Internet automatically. You can create additional SMTP virtual servers and associate them with SMTP connectorsThe default SMTP virtual server connects Exchange to the Internet automatically. You can create additional SMTP virtual servers and associate them with SMTP connectors
InternetAdministratorSMTP
virtual server
How to Create and Configure an SMTP Connector
Practice
To create and configure an SMTP connector:To create and configure an SMTP connector:
In the Exchange System Manager console tree, browse to Connectors
Right-click Connectors, point to New, and then click SMTP Connector
Provide a name for the connector, define the local bridgehead server, and configure the address space for the connector
In the Exchange System Manager console tree, browse to Connectors
Right-click Connectors, point to New, and then click SMTP Connector
Provide a name for the connector, define the local bridgehead server, and configure the address space for the connector
11
22
33
Administrator
create and configure
Methods for Securing SMTP Traffic
Authentication is the process of verifying the identity of something or someoneUser really is Samantha Smith
Encryption is a technique in which the contents of an e-mail message are scrambled into a code that can only be read by a person who has the key to decode it on his or her computer
Reverse DNS lookup is a technique in which you make your computers use the sender’s SMTP domain name to perform a DNS lookup to confirm that the IP address of the sending host is from the same network that is registered in DNS
UserResource
P@$$w0rD #4(*d
CiphertextCiphertext
hello
EncryptionEncryption
DecryptionDecryptionPlaintextPlaintext
DNS Server
Exchange Server
What is the sending host for this IP address?
What is the sending host for this IP address?
In the Exchange System Manager console tree, browse to Connectors
Right-click the connector that you want to restrict, and then click Properties
On the Delivery Restrictions tab, specify the name of the sender or senders in the Accept messages from or Reject messages from area
In the Exchange System Manager console tree, browse to Connectors
Right-click the connector that you want to restrict, and then click Properties
On the Delivery Restrictions tab, specify the name of the sender or senders in the Accept messages from or Reject messages from area
11
22
33
How to Restrict User Accounts from Sending Internet E-Mail
Practice
InternetSMTPVirtual Server
Greg Weber
Sorry Greg!
How to Configure SMTP Relays in Exchange
Different ways to configure SMTP relays in Exchange:Different ways to configure SMTP relays in Exchange:
Configure an SMTP virtual server to use a smart host
Configure the SMTP virtual server to forward unresolved messages to a smart host
Configure an SMTP connector to use a smart host
Configure an SMTP virtual server as a relay host
Configure the SMTP virtual server to limit which servers can relay e-mail messages
Configure domains that you want to relay messages to
Configure an SMTP virtual server to use a smart host
Configure the SMTP virtual server to forward unresolved messages to a smart host
Configure an SMTP connector to use a smart host
Configure an SMTP virtual server as a relay host
Configure the SMTP virtual server to limit which servers can relay e-mail messages
Configure domains that you want to relay messages to
Practice
To combat mail relaying attacks, prevent or restrict open relaying on any Exchange server connected to the Internet
Sometimes, relaying is required. For example you may have POP3 and IMAP4 clients that rely on SMTP for message delivery and have legitimate reasons for sending e-mail messages to external domains
To combat mail relaying attacks, prevent or restrict open relaying on any Exchange server connected to the Internet
Sometimes, relaying is required. For example you may have POP3 and IMAP4 clients that rely on SMTP for message delivery and have legitimate reasons for sending e-mail messages to external domains
When to Use and Restrict Open Relaying in Exchange
Internet Attacker
A Mail Relaying AttackA Mail Relaying AttackContoso Corporate
Office
E-mail Server
From: Contoso “Buy my
products”
“Buy my products”
From: Contoso “Buy my
products”
How to Prevent or Restrict Open Relaying in Exchange
To prevent or restrict open relaying:To prevent or restrict open relaying:
In the Exchange System Manager console tree, browse to Servers
Expand the Protocols container on the server that you want to configure
Expand SMTP, right-click the SMTP virtual server, and then click Properties
On the Access tab, click the Relay
In the Relay Restrictions dialog box, select Only the list below and make sure that the list is blank
Clear the Allow all computers which successfully authenticate to relay, regardless of the list above check box
To restrict by user, specify a subset of users
In the Exchange System Manager console tree, browse to Servers
Expand the Protocols container on the server that you want to configure
Expand SMTP, right-click the SMTP virtual server, and then click Properties
On the Access tab, click the Relay
In the Relay Restrictions dialog box, select Only the list below and make sure that the list is blank
Clear the Allow all computers which successfully authenticate to relay, regardless of the list above check box
To restrict by user, specify a subset of users
11
22
33
44
55
66
77
Practice
How to Connect Exchange Servers to the Internet by Using Routing and Remote Access
After a modem is added, click Start, and then click Administrative Tools
Click Routing and Remote Access, and select the server to configure
Right-click Ports, and then click Properties
In the Port Properties dialog box, click Configure, select the Demand-dial routing
connections (inbound and outbound) check box, and then click OK
Create a demand-dial interface to dial into the ISP
Add a default network route that uses the newly created demand-dial interface
After a modem is added, click Start, and then click Administrative Tools
Click Routing and Remote Access, and select the server to configure
Right-click Ports, and then click Properties
In the Port Properties dialog box, click Configure, select the Demand-dial routing
connections (inbound and outbound) check box, and then click OK
Create a demand-dial interface to dial into the ISP
Add a default network route that uses the newly created demand-dial interface
11
22
33
44
55
66
Exchange Server InternetRouting and
Remote Access
How to Configure Exchange to Retrieve E-Mail from an ISP
Practice
To configure Exchange to use ETRN commands to pull e-mail:To configure Exchange to use ETRN commands to pull e-mail:
In the Exchange System Manager console tree, browse to the Connectors container for the routing group
Right-click the SMTP connector, and then click Properties
In the Properties dialog box, click Advanced, and then select Request ETRN/TURN when sending messages
Select the Additionally request mail at specified times check box
In the Exchange System Manager console tree, browse to the Connectors container for the routing group
Right-click the SMTP connector, and then click Properties
In the Properties dialog box, click Advanced, and then select Request ETRN/TURN when sending messages
Select the Additionally request mail at specified times check box
11
22
33
44
How to Identify Problematic E-Mail Domains
Telnet
Nslookup
telnet fully_qualified_domainname_of_the_host 25telnet fully_qualified_domainname_of_the_host 25
Nslookup –querytype=mx domainnameNslookup –querytype=mx domainname
There are two commands you can use to identify problematic e-mail domains:There are two commands you can use to identify problematic e-mail domains:
Discussion: Managing Routing
Read the scenarios
Determine possible solutions
Discuss your solutions with the class
Read the scenarios
Determine possible solutions
Discuss your solutions with the class
11
22
33