Understanding Connector Scope and Restrictions

 

If you need to control access to specific connectors, either by group or by a specific geographic area, you have two choices:

• Use connector scope to restrict connector use.   By definition, only users in a specific routing group can use that routing group's connector. However, you can also designate a routing group scope for another type of connector, like an SMTP connector, so that only users in a particular routing group can use the SMTP connector. Use an SMTP connector with a routing group scope if you want to ensure that users in a specific location always use this SMTP connector.

• Create a restriction on the connector.   You can restrict access to any type of connector by using the Delivery Restrictions tab of the connector properties. You can designate a distribution group that explicitly has rights to use this connector, or you can designate a distribution group that is explicitly denied access to the connector.

Using Connector Scope to Restrict Usage

To understand how your routing topology and connector scope affects message flow, consider a company named Contoso, Ltd. (contoso.com), which is located exclusively in the United States with two major offices, one in Colorado and one in Maine. All servers are connected by a high-speed network, but a fax connector and an SMTP connector exist in each site. If the fax connectors have an organizational scope, users in Colorado can use the fax connector in Maine and may incur long distance costs. Additionally, the Contoso administrator wants all users in Maine to use the SMTP connector to the Internet that is located in the Maine site, and all users in Colorado to use the local SMTP and fax connectors. In this case, despite the high network connectivity between all servers, it makes sense to use routing groups and restrict the connector scopes to the appropriate routing group.

Topology of Contoso.com

In this topology, each site has the following connectors:

• An SMTP connector to the Internet with a routing group scope.

• A fax connector with a routing group scope.

• A routing group connector that allows any server in the routing group to send messages over this connector and designates all three servers in the remote site as remote bridgehead servers. Because all servers in each site share the same network connectivity, it makes sense to designate all of them as bridgehead servers, so that servers can communicate in a point-to-point fashion.

Using Delivery Restrictions to Restrict Usage

You can restrict the use of your connector to a particular group of users. The advantage of using delivery restrictions to restrict usage is that this option eliminates the need to create a routing group. The disadvantage to using a restriction is that for each message that is sent through this connector, the distribution group must be expanded to its individual recipients to enforce the restriction. This expansion is costly in terms of performance. Therefore, it is recommended that you use the Delivery Restrictions tab on a connector in cases where the distribution group is small or where you are certain that the performance impact is acceptable to your users.

Important

Be aware that restricting delivery is extremely process-intensive and can affect server performance.

A registry key on the Exchange 2003-based bridgehead server (which is the source for the connector that is being checked) controls the restriction checking functionality. If you need to configure a connector to restrict who can send data to the designated link, you must manually add the restriction checking registry value.

Note

Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.

For detailed instructions, see How to Enable the Registry Keys for Delivery Restrictions.

After enabling the registry key and restarting the services above, you can set delivery restrictions on the connector properties by using the Delivery Restrictions tab.

Note

You can also designate specific users or query-based distribution groups on the Delivery Restrictions tab. This approach is not recommended because each user is added as an entry in the link state table, which causes the link state table to grow very large. A large link state table can affect the network and performance because it needs to be replicated to all other servers in the organization.

Delivery Restrictions tab in SMTP Connector Properties dialog box