A more detailed poster is available from Microsoft here.
List of Exchange Component Servers
Edge Transport Server
The Edge Transport Server is a dedicated SMTP mail delivery server designed for the DMZ. This is were antivirus and antispam filtering takes place. An additional benefit is that this role separates SMTP traffic from other types of external traffic (e.g. web-based access) for better scalability.The Edge Transport Role is nothing more than an SMTP gateway. Other third-party mail gateways may fulfill this role. One example detailed in another article is using an Active Directory Integrated Postfix Mail Gateway to Exchange.
Hub Transport Server
The Hub Transport Server role is dedicated to internal message routing and policy. For instance, the a hub server will retain a copy of a message until it receives an acknowledgement that is has been successfully delivered to a mailbox. It also maintains communications with Mailbox Servers (see below) concerning availability and dumpster maintenance; it will not purge older messages in the dumpster until all logs have been successfully replicated.Client Access Server
The Client Access Server Role provides local and remote client access using a variety of protocols such as local Outlook MAPI client access over Remote Procedure Calls (RPC), web client access over HTTPS, ActiveSync access over HTTPS and remote Outlook client access using RPC over HTTPS.The Client Access Server role, operating separately, has scalability in mind. Under heavy client loads, they can be clustered using a hardware load balancer or other network load balancing technology such as HAProxy.
The Client Access Server role uses so many protocols in addition to those listed above (Kerberos, for example) that there may not be a firewall between the Client Access Server and the rest of the Exchange infrastructure. Microsoft states that direct access to the private network -- bypassing the DMZ -- is required for external clients connecting to a Client Access Server. So, one must open HTTPS from the External (Internet) firewall zone directly to the Private zone. Microsoft also states that the Client Access Server is "hardened" for security and that this arrangement poses no problem.
Indeed, the author has tested the implementation and it has reasonable measures (such as denying all ICMP packets via Windows Firewall) to resist script kiddies. A reverse proxy such as Nginx or Apache in the DMZ does not afford much web application protection from a more realistic application penetration as described in an article Suricata IDS -- Arachni Vulnerability Scan. The author stands firmly on the fence with regards to whether to allow direct access from the Internet or installing a reverse proxy in the DMZ. An article describing an Apache Reverse Proxy to Exchange Client Access Server describes how this is implemented.
Mailbox Server
The Mailbox Server role provides message storage. Essentially, it is a database server integrated with Windows Active Directory and the rest of the Exchange messaging and collaboration system. As such, it is as hardware intensive as any other database server.Unified Messaging Server
The Unified Messaging role is a gateway from a PBX or VOIP voice system into Exchange.Recommended Exchange Server Role Ratios
Live Exchange Systems are complex. A small business can deploy all roles on a single server. Medium businesses will have to deploy two or more servers depending upon the size of the company and overall load. Enterprises require very complex implementations with one or many servers (and potentially load balancers) incorporated into the design. Microsoft provides the follow general rules for ratios of cores and memory for large Exchange deployments:Client Access Server (CAS)
CAS to Mailbox ratio = 3 : 4 processor cores
8 cores recommended, 2GB RAM per core
Hub Transport server
Hub to Mailbox ratio : 1 : 7 (no A/V on Hub) or 1 : 5 (with A/V Hub) processor cores
4 cores recommended, 1GB RAM per core
Mailbox Server
4-8 cores, 4GB RAM base + 2-8MB per mailbox based on mail profile
Unified Messaging Server
4 cores, 4-8GB RAM total
Edge Transport Server
2 to 4 cores
Global catalog to Mailbox ratio 1 : 8 (64-bit GC) processor cores
No comments :
Post a Comment