Using a Dual-Homed Exchange Server as an Internet Gateway
This scenario describes a supported configuration of a dual-homed Exchange server that acts as a gateway server for the Exchange organization. This server can handle mail individually, or it can act as a bridgehead server for other servers in the organization. For security purposes, you should use this configuration behind a firewall.
The basic configuration consists of a mail gateway that is configured with two network interfaces; this gateway acts as the single connection point between your intranet and the Internet.
The following lists provide general configuration requirements for the two virtual servers and the SMTP connector:
If you configure two virtual servers on a single Exchange server, be sure to use a unique combination of IP addresses and ports. Do not configure either virtual server to use the default value of all available IP addresses.
Virtual server 1
Configure virtual server 1 as the bridgehead server for the SMTP connector.
Configure virtual server 1 to use external DNS servers, through the external DNS server list.
Bind virtual server 1 to an intranet IP address on port 25.
Enter the local company domain (for example, contoso.com).
Virtual server 2
Configure virtual server 2 so that it does not relay mail (this is the default configuration). For more information about default relay restrictions, see How to Verify Relay Restrictions on an SMTP Virtual Server.
Configure virtual server 2 to allow anonymous access (this is the default configuration). For more information about allowing anonymous access, see How to Allow Anonymous Access on Your Outbound SMTP Virtual Server.
Bind virtual server 2 to an Internet IP address on port 25.
Select the local company domain (for example, contoso.com).
Configure the SMTP connector to use DNS to route to each address space on the connector.
Home the SMTP connector to virtual server 1 by specifying it as the bridgehead server.
Create an address space of * (asterisk) or an equivalent.
Use two network interface cards (NICs)—an internal NIC and an external NIC.
Verify that there is no IP routing configuration between the two networks on your server. (This is the default configuration.)
For more information about how to configure an SMTP connector, see How to Create an SMTP Connector.
Inbound Internet Mail
Messages flow into an Exchange organization in the following manner:
Messages that originate from the Internet use the Internet IP address to send mail to recipients in the local domain.
Virtual server 2 monitors this Internet IP address for mail and receives all incoming Internet messages. Because virtual server 2 is not configured to relay mail, it rejects mail that is not directed to the company's domain (for example, contoso.com).
When virtual server 2 receives a message from the Internet that is intended for a host inside the local domain, it contacts the Microsoft Active Directory® directory service through the internal NIC to determine where to send the message. Therefore, messages that are received by virtual server 2 are sent directly to the internal host or to another bridgehead server for delivery to another routing group.
Although virtual server 2 monitors an external IP address for incoming mail, it uses whatever IP address is appropriate for routing messages, based on the entries in the routing table. Virtual server 2 uses only internal DNS services for name resolution. Virtual server 2 is not configured with an external list of DNS servers, so it does not resolve external addresses. It rejects all messages with addresses to a domain other than the company's domain (in this case, contoso.com).
Outbound Internet Mail
Mail flows out of an Exchange organization in the following manner:
A user sends a message to an external recipient.
Because this message is outbound, it uses the SMTP connector that is homed on virtual server 1.
When virtual server 1 receives a message for a remote domain, it uses the list of external DNS servers to find the IP address of the message recipient, and then uses the external NIC to deliver the external mail. (Generally, external Internet IP addresses are not available on an internal DNS server.)
Although virtual server 1 is configured to monitor the intranet IP address, it uses the Internet NIC for external mail.
The following figure illustrates the flow of mail through a dual-homed server.
Internet mail flow through a dual-homed Exchange gateway server
Using Internet Mail Wizard to Configure a Dual-Homed Exchange Server
You can use Internet Mail Wizard to configure a dual-homed Exchange server. The wizard guides you through the necessary configuration and automatically creates a connector on your outbound SMTP virtual server.
Use the How to Start Internet Mail Wizard procedure to configure a dual-homed Exchange server with two SMTP virtual servers to send and receive Internet mail. After you run Internet Mail Wizard, the Exchange server will send and receive all Internet mail according to the configuration you specify in the wizard.
You cannot use Internet Mail Wizard if you have already configured an SMTP connector or created an additional SMTP virtual server on your Exchange server. You must revert to the default configuration before you can run Internet Mail Wizard.
The wizard creates an additional SMTP virtual server on your Exchange server. It configures Internet mail delivery in the following ways:
To configure a server to send Internet mail, the wizard guides you through the process of assigning the intranet IP address to the default SMTP virtual server on which it creates the SMTP connector to send outbound mail. You assign the intranet IP address to this virtual server so that only internal users on your intranet can send outbound mail.
To configure a server to receive Internet mail, the wizard guides you through the process of assigning the Internet IP address to the Internet SMTP virtual server. You assign an Internet IP address to this virtual server because external servers need to be able to connect to this SMTP virtual server to send Internet mail to your company. Additionally, you must have an MX record on your Internet DNS server that references this server.
Internet Mail Wizard also performs the necessary checks on your Internet SMTP virtual server to ensure it is configured correctly. It verifies the following:
Your Internet SMTP virtual server accepts anonymous connections.
Your Internet SMTP does not permit relaying.
For more information about Internet Mail Wizard, see Using Internet Mail Wizard to Configure Internet Mail Delivery.
To increase the security of a dual-homed gateway server configuration, consider the following recommendations:
Use Internet Protocol security (IPSec) policies to filter ports on the Internet NIC. For more information about IPSec policies, see the Microsoft Windows 2000 or Windows Server 2003 online documentation.
Strictly limit the users that you allow to log on to the server. One simple way to do this is to leave the server running without a keyboard, mouse, or monitor and to use Terminal Services to manage the server. Then, you allow only administrators to have Terminal server access.
Using a dual-homed Exchange server as a gateway server in this configuration allows a company to limit its exposure by minimizing the entry points from the Internet to its intranet. By preventing the virtual server on the Internet from relaying messages to other Internet hosts, you ensure that the virtual server routes only mail that is addressed to valid internal recipients. Because virtual server 1 uses an external list of DNS servers to route only outbound Internet mail (not for internal mail), external DNS server issues won't affect internal mail traffic. By separating your incoming Internet mail, internal mail, and outgoing Internet mail processes, the points of failure for any of the three processes remain distinct and more manageable.