Home > Articles

This chapter is from the book

Configuring Additional Server Services

In addition to basic Exchange servers that host mailboxes for user email accounts, there are other Exchange Server 2003 services that can be configured:

  1. Bridgehead servers

  2. Front-end servers

  3. Public folder servers

  4. SMTP mail routing servers

Installing a Bridgehead Server

A bridgehead server is a routing server that accepts mail from another server and then distributes the mail to the next server in the route. Similar to the hub-and-spoke system used by airlines to prevent having to fly nonstop flights to and from every single city around the world, the bridgehead server minimizes the site-to-site direct-traffic flow by focusing mail between bridgehead servers.

Many times administrators with high-speed WAN bandwidth question why they wouldn't just have all Exchange servers route mail directly to all other Exchange servers. An example gives the best explanation: If a manager in the United States sends a message with a 20MB attachment to managers in 10 different European offices, 200MB of mail is routed between continents. However, if the organization had a bridgehead server in the U.K., only one 20MB message, with attachment, would go between the U.S. and the U.K. Then the message would be distributed from the U.K. to the rest of the European sites. Even between local sites with a T1 line, the belief is that there is plenty of bandwidth between the sites and users can send any size email because it's a local office. So unless attachment restrictions are placed on servers, a user could send a 40MB attachment to dozens of offices, taking up hundreds of megabytes of bandwidth. A bridgehead server can consolidate bandwidth between an East Coast and West Coast connection, minimizing traffic across the country.

To configure a bridgehead server, from the Remote Bridgehead tab on the routing group connector Properties page, a target server can be specified that will receive messages in the destination routing group. Multiple servers can be specified, and connections to the server are attempted in the order of the servers listed in the remote bridgehead list.

The Delivery Restrictions, Content Restrictions, and Delivery Options tabs are used to control which users can send messages and of what type across the connection. The Delivery Options tab includes the option of scheduling large messages across a specific message route during a specific period of time. For example, large attachments from one site to another site that has a slow connection can schedule all attachments of a certain size to be transported later in the day or evening. Using this option for messages greater than a few megabytes on busy or slow links can keep mail flowing without clogging the link.

When the connector is configured, the administrator is then prompted to create a corresponding connector in the remote routing group. The administrator should keep this in mind when naming the connector, because automatically configured connectors in the remote routing group will use the same name as the connector configured in the local routing group.

Routing group connectors are not the only option for administrators to link routing groups. The SMTP and X.400 connectors also can be used for linking. Both connectors have a Connected Routing Groups tab that can be used to connect routing groups when bandwidth is limited or other services, such as encryption, are required.

Enabling SSL for Services on Front-end Servers

You can enable most of the protocols on the front-end server from within the Exchange System Manager. To enable SSL for POP3, IMAP4, SMTP, and NNTP, use the following steps:

  1. Open Exchange System Manager.

  2. Navigate to Administrative Groups, Servers, Protocols.

  3. Select a protocol and expand it.

  4. Right-click on the protocol and choose Properties.

  5. Click on the Access tab.

  6. Under Secure Communications, click on Certificate.

  7. Select Next.

  8. Select Create a new certificate and click Next.

  9. If you have an internal Certificate Authority (CA), you can choose Send the request immediately to a CA; otherwise, choose Prepare now and send later, and then click Next.

  10. Type a name for the certificate, choose the bit length, and click Next.

  11. Type the organization name and unit and then click Next.

  12. Type a common name for the Website or fully qualified DNS name.

  13. Type the country, state, and city, and then click Next. (Do not use abbreviations.)

  14. Type a path and filename for the CSR file and click Next.

  15. Review the summary and click Next.

  16. Click Finish.

If your organization uses a third-party certificate authority such as Verisign, Tharte, or others, send the CSR file created in the previous steps to the third-party certificate authority to have a valid certificate file created. After a certified file is issued by the third-party CA, do the following:

  1. Open Exchange System Manager.

  2. Navigate to Administrative Groups, Servers, Protocols.

  3. Select a protocol and expand it.

  4. Right-click on the protocol and choose Properties.

  5. Click on the Access tab.

  6. Under Secure Communications, click on Certificate, and then click Next.

  7. Choose Process the pending request and install the certificate, and then click Next.

  8. Click and browse to select the certificate file you received from the third-party CA, and click Next.

  9. Review the summary of the certificate to verify that it is correct and click Next.

  10. Click Next on the confirmation screen.

Managing Public Folders

Public folders are collaboration objects in Microsoft Exchange that can be used to share information with a group of individuals in the organization, and are the basis of workflow applications.

Public folders can be created either through the Outlook 2003, Outlook XP, or Outlook 2000 client or through Exchange System Manager. To create folders through the Exchange System Manager, locate the folders container in the administrative group. Right-click the default public folder tree and select New, Public Folder. The tabs, shown in Figure 3.12, are for the following:

Figure 3.12Figure 3.12 Tab options when creating a public folder.

  • General Contains the option of configuring an address list display name to be different from the folder name and whether folder content read and unread information is tracked for each user.

  • Replication Controls which public folder stores receive a copy of the folder and at what frequency the information is replicated.

  • Limits Configures the storage, deletion, and age limit settings. These settings can be inherited from the public store database settings or from a public store system policy.

  • Details Allows for the entry of administrative notes.

To mail-enable the folder, right-click the folder in Exchange System Manager and select Mail Enable. After the folder is mail-enabled, right-click the folder and select Properties to view the following tabs:

  • Exchange General Displays the folder's alias and the public folder tree that contains the folder. Options also exist for Delivery Restrictions and Delivery Options, which are inherited from the Exchange organization.

  • Email Addresses Lists email addresses for the object, which are defined in the Recipient Policies from Exchange System Manager. This includes the SMTP, X.400 address, and addresses for other mail platforms.

  • Exchange Advanced Includes settings that control address list visibility and the custom attributes.

Folders can also be created in Outlook 2003, Outlook XP, or Outlook 2000 by accessing the Public Folders, All Public Folders container.

Creating New Public Folder Trees

MAPI clients can use only the default public folder tree, so this process does not apply to organizations that use only the Outlook 2003, Outlook XP, or Outlook 2000 client. Only Web-based clients can use other public folder trees. Organizations might want to consider creating a new public folder tree to support customized Web-based applications that use the Web store capabilities of the public store. Creating new public folder trees is a four-step process:

  1. Create the tree.

  2. Create a public store associated with the tree.

  3. Link the tree with the public store by using the Associated Public Store dialog box when creating the store.

  4. Mount the public store.

To create new public folder trees, use Exchange System Manager to locate the folders container in the administrative group. Right-click the folders container and select New, Public Folder Tree; enter the name of the folder tree. The second step is to create a public folder store by right-clicking a storage group and selecting New, Public Store. The third step is to use the Browse button to select the new public folder tree as the associated public folder tree when creating the public store. The final step is to mount the store. To mount the store, choose Yes when prompted to mount the store.

NOTE

To mount stores created on remote servers, Active Directory must complete replication of the store configuration information.

Using Dedicated Public Folder Servers

Many Exchange 5.5 organizations used dedicated public folder servers to support their folder installations and keep the load of collaboration applications and repositories off their mail servers. This is still an acceptable practice; however, do not remove the private store from the dedicated public folder server if the organization plans to administer the public folder tree on the server from Exchange System Manager. To configure dedicated public folder servers, leave the mailbox store unpopulated or permanently dismount the mailbox store by marking the store with the Do not mount this store at start-up option on the Database tab of the mailbox store.

Designing Public Folder Trees

The first level of the public folder tree is called top-level public folders. In most organizations, the top few levels of the public folder structure are designed with some hierarchy in mind. This is done to organize the information and also to control the replication of information across the network. It might not be efficient to replicate the entire public folder tree to every server in the organization if the information is needed in only certain areas of the company. Generally, the first few levels are designed with a department or geographic organization. Most Exchange administrators usually lock down the top-level folders to prevent the hierarchy from being corrupted by users. To lock down the top-level folders, set the following permissions:

  1. Right-click the Public Folder tree under the folders container in the administrative group and select properties.

  2. Click the Security tab.

  3. Select the Everyone group.

  4. Select the Deny option for the Create top level public folder permissions.

Understanding Public Folder Replication

Public folder replication enables information that's created in one folder to be replicated to all other public stores configured on its Replication tab. Public folders operate in a multimaster replication hierarchy where every public store has a read and write copy of the folder. By default, a public folder inherits the replication schedule from the public store Replication tab or the public store system policy that is applied to the server.

Plan on spending some time developing the replication scheme for the public folder hierarchy. Not all information in the tree needs to replicate immediately. Exchange administrators should make sure that top-level folder administrators understand which folders replicate more quickly than others and should be used for time-sensitive information.

System Folders

The Exchange system folders control many of the underlying components of the Exchange organization, such as storing the Offline Address Book and the public free and busy time information that users see when they create meeting requests. The Exchange system folders include EForms Registry, Events Root, Nntp Control Folder, Offline Address Book, Schedule+ Free Busy, StoreEvents, and System Configuration. Administrators might need to view information about the system folders when troubleshooting problems on the server. By default, the system folders are not displayed in Exchange System Manager. To view system folders, follow these steps:

  1. Open Exchange System Manager.

  2. In Exchange System Manager, expand the Folders container.

  3. TIP

    For Native Mode Exchange environments, use the Folders container under Administrative Group.

  4. Right-click Public Folders.

  5. Select View System Folders.

SMTP Connectors and Virtual Servers

SMTP is the primary message routing protocol used in Exchange 2003 and is the backbone of many other services, such as OWA, POP3, and IMAP. Exchange 2003 uses the base SMTP service configuration provided by IIS and extends its functionality to link state routing, advanced queuing engine, and enhanced message categorization. Many of the features that are added to the base SMTP service are Exchange-specific commands.

Two basic components need to be configured for SMTP on the Exchange 2003 server: the SMTP Virtual Server and the SMTP Connector. The SMTP Virtual Server is used to define settings—such as the domain and authentication—for connections. Multiple SMTP virtual servers can be used on a physical server to support the needs of different groups in the organization. The purpose of the SMTP connector is to use SMTP to route external mail. The SMTP Connector is the replacement for the Internet Mail Service in Exchange 5.5. The connector defines how that mail is delivered and any restrictions on messages or connectivity that apply to the delivery.

Creating SMTP Connectors

The following process assumes the connector is being installed to send messages to the Internet.

To install the SMTP connector, right-click the routing group's connectors container and select New, SMTP Connector. To configure the connector, use the following steps:

  1. On the General tab enter a descriptive name for the connector, such as SMTP(Internet).

  2. Select the method to deliver the SMTP messages, either DNS or smart host. If you're using a smart host, it's better to use a hostname rather than an IP address; an IP address change in the organization will not cause mail routing to fail as long as DNS properly resolves the name to another IP address. If you're using IP addresses, they must be enclosed in brackets ([ ]). Multiple smart hosts can be entered but must be separated by semicolons (;) or commas (,).

  3. Add a server in the local routing group as the local bridgehead. This will be the server responsible for delivering SMTP messages in this routing group.

  4. Add an address space entry. If this connector will route all mail to the Internet, create an SMTP address entry and leave the default setting to send all addresses. If there are multiple connectors with the same address space entry, the cost can be modified to set one of the connectors to a higher or lower priority. The higher the cost, the lower the priority.

  5. Set Connector Scope for Entire Organization or the routing group. If using Entire Organization, all servers in the organization can send messages through this connector.

  6. Set the advanced settings for security if necessary. For sending mail to servers on the Internet, set the option for HELO instead of EHLO for ensured interoperability.

The General tab of the SMTP connector is configured to deliver SMTP mail to the Internet. The other tabs on the SMTP connector can be configured as needed, but most organizations leave the settings as the default when configuring connectors to send SMTP mail to the Internet.

Creating SMTP Virtual Servers

In most Exchange organizations, it's not necessary to create additional SMTP virtual servers. Unless the organization is supporting multiple domain names that require different settings or POP3 and IMAP users that require secured SMTP relays, creating additional SMTP virtual servers is not necessary.

To create a new SMTP Virtual Server, right-click the SMTP protocol container and select New, SMTP Virtual Server. The wizard then prompts for the name of the virtual server and the IP address. It's best to use a descriptive name for the virtual server, such as the domain name (in this example, smtp.companyabc.com). Only IP addresses that have been configured on the server's LAN adapters appear in the IP address selection box.

The following tabs are available for the SMTP Virtual Server:

  • General The General tab can be used to limit the number of connections and the connection timeout and contains the IP address and port number combinations configured for the virtual server. When you're adding additional IP addresses, the Enable Filter option can be used to apply message filters that have been configured in the Message Delivery options under the Global container for the organization. Logging for the SMTP connection can also be enabled here.

  • Access The Access tab controls the Authentication mechanism in place and can be used to enable secure communication under the Certificate and Communication buttons. Connections and SMTP message relaying can also be controlled.

  • Messages The Messages tab controls the number of messages that can be transferred and the handling of nondelivery reports. A setting that's really helpful during mail migrations is the Forward all mail with unresolved recipients to host option, which enables mail for the same domain name to be delivered to another mail platform that may have been previously responsible for the SMTP domain name for the Exchange organization.

  • Delivery The Delivery tab configures outbound message retry intervals, authentication, DNS, and smart host configuration information.

Securing SMTP Mail Relays

The Relay button on the Access tab of the SMTP Virtual Server is responsible for controlling the capability for remote hosts of relaying SMTP messages off the Exchange SMTP server. Open SMTP mail relays are a target for spammers, who use the open relay to send unsolicited email messages anonymously.

By default, SMTP message relaying is not enabled. Only the hosts specifically entered in the relay configuration can relay SMTP messages. By selecting the option All Except the List Below, you open the relay to any server on the Internet. The check box Allow All Computers which Successfully Authenticate to Relay is an override for the lists of hosts listed above the check box that are either allowed or not allowed to relay. This check box is selected by default and will allow POP3 and IMAP clients to relay SMTP messages off the server as long as they can authenticate.

To configure Outlook Express for authentication, use the Servers tab of the mail account and mark the check box under the Outgoing Mail Server for My Server Requires Authentication. The Settings button enables the user to enter a different account or use the same account as the Incoming Mail Server.

If the organization needs to support POP3 and IMAP users, the next step in configuring the SMTP relay is to select the authentication method under the Authentication button on the Access tab. If this SMTP virtual server will be used for all SMTP connections, the Anonymous Access selection should remain on. If only POP3 and IMAP users will use this virtual server, Anonymous Access should be disabled.

The most secure method to access the SMTP server over the Internet is to remove the Integrated Windows Authentication method and enable the check box for Requires TLS Encryption. In order to select Requires TLS Encryption, you must install a certificate on the server, which can be obtained through the Certificate button on the Access tab for the SMTP virtual server. After the certificate is installed, encryption can be required under the Communication button on the Access tab of the SMTP virtual server.

Select the Require Secure Channel check box under the Communication button if this server will be used to relay messages exclusively for POP3 and IMAP clients. If this server is receiving SMTP mail for the organization, connections will be rejected if they cannot support SSL.

In order to use TLS security for sending messages, the POP3 and IMAP clients need to support TLS or SSL. To configure Outlook Express for SSL, use the Advanced tab of the POP3 or IMAP mail account and select This Server Requires a Secure Connection (SSL).

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020