Creating a New Edge Transport Server Security Policy
When
implementing network security through the implementation of an Edge
Transport server, a security policy can be created on the Edge server.
To create a new Edge Transport server security policy, do the following:
1. | Click
Start, point to All Programs, point to Administrative Tools, and then
click Security Configuration Wizard to start the tool. Click Next on
the welcome screen.
| 2. | On the Configuration Action page, select Create a New Security Policy, and then click Next.
| 3. | On
the Select Server page, verify that the correct server name appears in
the Server (use DNS name, NetBIOS name, or IP address) field. Click
Next.
| 4. | On the Processing Security Configuration Database page, wait for the progress bar to complete, and then click Next.
| 5. | On the Role-Based Service Configuration page, click Next.
| 6. | On the Select Server Roles page, select the Exchange 2007 Edge Server check box, and then click Next.
| 7. | On
the Select Client Features page, select each client feature that is
required on your Edge Transport server, and then click Next.
| 8. | On
the Select Administration and Other Options page, select each
administration feature that is required on your Edge Transport server,
and then click Next.
| 9. | On
the Select Additional Services page, select each service that is
required to be enabled on the Edge Transport server, and then click
Next.
| 10. | On
the Handling Unspecified Services page, select the action to perform
when a service that is not currently installed on the local server is
found. You can select to take no action by selecting Do Not Change the
Startup Mode of the Service, or you can select to automatically disable
the service by selecting Disable the Service. Click Next.
| 11. | On
the Confirm Service Changes page, review the changes that this policy
will make to the current service configuration. Click Next.
| 12. | On the Network Security page, verify that Skip This Section is not selected, and then click Next.
| 13. | On
the Open Ports and Approve Applications page, you must add two ports
for LDAP communication to Active Directory Application Mode (ADAM). To
add the ports:
- a. Click Add. On the Add
Port or Application page, in the Port Number field, enter 379. Select
the TCP check box, and then click OK.
- b. Click
Add. On the Add Port or Application page, in the Port Number field,
enter 626. Select the UDP check box, and then click OK.
| 14. | On the Open Ports and Approve Applications page, you must configure the ports for each network adapter. To do so:
- a. Select
Port 25, and then click Advanced. On the Port Restrictions page, click
the Local Interface Restrictions tab. Select Over the Following Local
Interfaces, select both the Internal Network Adapter and External
Network Adapter check boxes, and then click OK.
- b. Select
Port 379, and then click Advanced. On the Port Restrictions page, click
the Local Interface Restrictions tab. Select Over the Following Local
Interfaces, select only the Internal Network Adapter check box, and
then click OK.
- c. Select Port 626, and then
click Advanced. On the Port Restrictions page, click the Local
Interface Restrictions tab. Select Over the Following Local Interfaces,
select only the Internal Network Adapter check box, and then click OK.
- d. Select
Port 3389, and then click Advanced. On the Port Restrictions page,
click the Local Interface Restrictions tab. Select Over the Following
Local Interfaces, select only the Internal Network Adapter check box,
and then click OK.
| 15. | On the Open Ports and Approve Applications page, click Next. | 16. | On the Confirm Port Configuration page, verify that the incoming port configuration is correct, and then click Next.
| 17. | On the Registry Settings page, select the Skip This Section check box, and then click Next.
| 18. | On the Audit Policy page, select the Skip This Section check box, and then click Next.
| 19. | On the Save Security Policy page, click Next.
| 20. | On
the Security Policy File Name page, enter a filename for the security
policy and an optional description. Click Next. If a restart of the
server is required after the policy is applied, a dialog box appears.
Click OK to close the dialog box.
| 21. | On the Apply Security Policy page, select Apply Now, and then click Next.
| 22. | On the Completing the Security Configuration Wizard page, click Finish.
|
Administrator Permissions on an Edge Transport Server
By
default, when you install an Edge Transport server role, the server is
administered using local user accounts. This is because the server is
configured as a standalone server in the perimeter network and has no
domain membership.
The local
Administrators group is granted full control over the Edge Transport
server, including administration permissions over the instance of
Active Directory Application Mode (ADAM) on the server. Logging on as
an account with membership in the local Administrators group gives you
permission to modify the server configuration, security configurations,
ADAM data, and the status of queues and messages currently in transit
on the server.
Generally, you would
utilize Microsoft Windows Terminal server to administer an Edge
Transport server, and the local Administrators group is granted remote
logon permissions by default. Rather than allowing all of your
administrators to use the default Administrator account, it is
recommended that you create a separate local account for each
administrator who will be administering your Edge servers, and adding
these accounts to the local Administrators group on the server.
Table 1
below identifies administrative tasks that are commonly performed on an
Edge Transport server, and the required group membership needed for
each task.
Table 1. Edge Transport Server Administrative Tasks| Administative Task | Membership Needed |
|---|
| Backup and restore | Backup Operators | | Enable and disable agents | Administrators | | Configure connectors | Administrators | | Configure antispam policies | Administrators | | Configure IP Block lists and IP Allow lists | Administrators | | View queues and messages | Users | | Manage queues and messages | Administrators | | Create an EdgeSync subscription file | Administrators |
|
