Exchange Server 2010 SP1 Beta Hosting Deployment... Part #7 - Transport Segregation
Back in 2008, I wrote a couple of blogs about the things we do to multi-tenant Exchange Server 2007 in HMC. In those blog posts, I walked through from a high level the components in Exchange that HMC changes to make the product multi-tenant. You can read them here, http://blogs.technet.com/b/provtest/archive/tags/hosted+exchange+server+2007/
Now, in those posts, I talked about address list segregation, Active Directory segregation through Access Control List, Internal and External OOF segregation in the transport layer, Austodiscover and etc. for Exchange Server 2007. Subsequently, I also talked about resource management subsequently for various services subsequently here, http://blogs.technet.com/b/provtest/archive/tags/resource+management/, which one of them is the Exchange Resource Management.
So, here, I am taking similar approach, reviewing component by component so that we all have a better idea how things work differently compared to an enterprise environment and also compared to Exchange Server 2007 in Hosted configurations. I have already spent much time talking about some unique differences in Exchange Server 2010 SP1 beta so far, how we install it, how we create tenant organization, how we can manage it through ECP, Powershell and etc. I started with those posts because I think it is important for everyone to get a feel of Exchange Server 2010 SP1 beta first. Now that we have done that, it is time to walk through from a high level the components that make Exchange Server 2010 SP1 a true hosted messaging platform.
I want to start with Transport and then I will move towards other areas. As most of you know by now, in Exchange Server 2010 SP1, like HMC, each tenant organization will have their own OU/container in the Domain Naming context where the system put all the users, mailboxes, contacts and groups in that tenant organization in. The concept is not very different compared to HMC. Of course, from the segregation standpoint, there is a huge difference because of RBAC instead of Active Directory ACL. That is one topic that I will go further in the next few posts and it is also where I will discuss a little bit more about Reseller model. Now, this is all good. What Exchange Server 2010 SP1 went further than HMC is that, each tenant organization also has their very own configuration container. This is a huge.
Think of it this way, in Exchange Server 2007, it is like a big apartment having many tenants. However, there is still tons of shared infrastructure in place. Exchange Server 2010 SP1 is really more like townhomes where you are kind of attached to each other but at the same time, you have your own garage, your own backyard and etc. It is probably not the best example, but hopefully you get the point.
Now, because the segregation goes much further than the previous version (HMC), you will notice the behaviour of some of the components also changes. Let us step through it now,
Intra-Tenant Organization Mail Delivery
This is straightforward. Like Exchange Server 2007, the mail will be routed to Hub Transport Server and then route back to the mailbox server for mail delivery like the following,
Internet Mail Delivery (Send and Receive outside of the Exchange Organization)
This is mail delivery to and from Internet. This again, is quite straightforward. Remember in the Help File, it said it won't support Edge Transport? That's the reason in the following diagram; I am using Hub Transport servers instead. Of course, you can also put in an Anti-spam or Anti-virus server in between but for simplicity reason over here, let's not get into that.
Out of the box, Exchange Server 2010 SP1 does not send Internet nor receive Internet email. You need to first create a send as well as a receive connector to allow that. Here are some examples, to create an Internet send connector (I put this in because I know some of us get very used to the Wizard in EMC and since in Hosting Deployment, you can't use EMC),
New-SendConnector -Internet -Name InternetSendConnector -AddressSpaces *
The default receive connector in HT is configured for other Exchange servers to authenticate, but it does not accept anonymous email by default. Hence, out of the box, it won't receive mail from internet. Run the following on your incoming HT server to create a receive connector (make sure you change the binding),
New-ReceiveConnector -Internet -Name InternetReceiveConnector -Bindings "192.168.1.100:25"
If you follow the Hosting Deployment, you notice that, you can also run ./install-AntispamAgents.ps1 to enable the Antispam Agents. After you run the script, you must restart the Microsoft Exchange Transport service to finish the installation of the following anti-spam features:
- Connection filtering
- Content filtering
- Sender ID
- Sender filtering
- Recipient filtering
- Sender reputation
Inter-Tenant Organization Mail Delivery
This is mail delivery between the tenant organization in your environment. For example, in your hosted environment, you host both AlpineskiHouse and Tailspin and it happens that a user in AlpineSkihouse wants to send to a user in Tailspin, say Johnc@alpineskihouse wants to send to Sally@tailspin.com.
In Exchange Server 2007, both organizations are somehow considered 'internal'. As a result, when Johnc@alpineskihouse sends a mail to Sally@tailspin.com, and if Sally@tailspin.com has an Out of Office enabled, Johnc@alpineskihouse.com may actually get an Internal OOF instead of External OOF. In HMC, or rather in Exchange Server 2007, the product cannot differentiate that. So, in order to work around it, we created a Transport Agent which I talked about herehttp://blogs.technet.com/b/provtest/archive/2008/12/26/hmc-4-5-and-exchange-2007-sp1-part-3-internal-and-external-out-of-office.aspx. That's HMC world.
Fast forward back to this, remember every single tenant organization has it's own set of configurations? Here is where things get interesting. When you send a mail from one tenant organization to another, Exchange Server 2010 SP1 will treat that mail as an Internet mail or external mail. If you enable pipeline tracing, you will see that the message has a context for the specific tenant organization, meaning when the Hub Transport took the mail, it will only look at the accepted domains within that organization. For example, when Johnc@alpineskihouse.com sends a mail to Sally@tailspin.com, the transport looks at the accepted domains only within Alpineskihouse and tailspin.com is not in it, that means, this mail is meant to be delivered out instead of Exchange organization internal delivery.
So, what does that mean? It means, the Hub Transport server will attempt to deliver the mail by DNS instead of trying to resolve that via Active Directory. It will be like the following,
Now, I am quite sure you can see the problem now. The mail needs to be delivered back to the Hub Transport server, potentially itself. If it doesn't go back to itself based on DNS resolution, then it is probably okay. However, if it tries to deliver back to itself, then you have a message looping issue and hence the delivery will fail. Some of you who setup the lab environment with minimum number of servers, like having just one HT, you will encounter the problem of inter-tenant organization mail delivery in this Exchange Server 2010 SP1 beta. Will this behaviour change in RTM? I do not know but unlikely in my opinion. I will explain more.
In a nutshell, I do agree with the concept behind this because it makes things simple and it removes the necessity of having a transport agent to deal with any Out of Office or a potential of Anti-spam or Anti-virus being bypassed like in Exchange Server 2007. So, think of it like in Exchange Server 2007, it is like an apartment. If you want to deliver something to someone within that apartment, you really don't need to get out of the apartment, you just walk to the door and deliver it. Unlike in a town homes, where you have to walk out of the house and then deliver it.
What do you need then? If you have a single server setup (mailbox, CAS, HT), you probably are experiencing this issue right now. To work around that, setup a simple SMTP service and have the mail deliver it out and then deliver it back in like the following,
Of course, in reality, no hoster in the world is going to have a single box (and I truly hope you guys aren't thinking about it). Now, I am not sure if Microsoft is going to provide any official guidance on how you should design your HT infrastructure and there are tons of ways to do it. Here is one way that I will share with you,
What I did above is that, I have dedicated HT servers for incoming on a separate AD site. This way, we know that HT servers in Site B will never pick up any mail to be sent out to the Internet from Mailbox server and it will only be processing incoming mail. Of course, you can also do it by setting specific configurations to instruct the mailbox server to only use the listed HT server for submission. Like I said, there are a few ways you can go to do this.