Hub Transport Role
Hub Transport Server overview
Microsoft Hosted Messaging and Collaboration version 4.5 reference architecture has two types of Hub Servers. One is for internal mail routing; the other is for external mail routing, and antivirus/anti-spam.
There is lag time for both newly created and updated accepted domains and accepted users on the Edge server because of built in EdgeSync delay replication and cache delay (KB article 936159). This can cause undesired NDR messages for hosting organizations. For this reason, Hosted Messaging and Collaboration version 4.5 offers an alternative deployment scenario where the Microsoft Exchange Server 2007 Hub Transport server can be reached directly through the Internet. The external Hub transport server will offer antivirus and anti-spam protection similar to the security provided by the Edge server role.
In the solution architecture, the Hub Transport server role is not combined with other roles.
In Hosted Messaging and Collaboration version 4.0, the internal Out of Office (OOF) responses, instead of the external OOF responses, are delivered between companies hosted within the same environment. With Microsoft Hosted Messaging and Collaboration version 4.5, the OOF notification is now multi-tenant aware and inter-tenant users will correctly receive the external OOF notification.
Hosted Messaging and Collaboration version 4.5 modifies the OOF e-mail routing behavior by overriding Exchange 2007 categorizer behavior with a custom agent. The solution takes advantage of the agent extension to modify mail routing behavior.
Hub Transport Server for Internet E-mail Relay
Hub Transport Services provide all mail transfer inside the organization, apply organizational mail flow routing rules and transport rules, and are responsible for delivering messages to a recipient's mailbox. You must have at least one Hub Transport server to enable internal mail routing and delivery.
Load balance Configuration and Recommendations
Hub servers are not load balanced at the network layer. However, resiliency has been designed into the Hub Transport, as well as the Mail Submission Service on Mailbox servers, for deployment of multiple Hub Transport servers so you can deploy multiple Hub Transport servers for internal transport high availability.
Recommendations for Provisioning
Hub servers are domain members and keep their configuration information in Active Directory service; therefore, they can be provisioned using security credentials of domain-based service accounts. The list of accepted domains and accepted recipients is synchronized from Active Directory to the Hub Transport server.
Recommendations for Management and Monitoring
The solution architecture includes steps to deploy System Center Operations Manager to monitor your Exchange server deployment.
For more information about Hub Transport server, see Microsoft Exchange product document Hub Transport.
Improved Message Routing throughputs on Hub Transport Server
Exchange Server 2007 SP1 includes the following enhancements to core transport functionality:
Intra-organization Security Consideration
Internet facing the Hub Transport server will scan the inbound messages from the Internet. And intra-tenant e-mails are not scanned by Hub Transport server.
The possible solution for intra-organization e-mail scan is through transport extensibility and routing enhancements that allow for a customized agent (developed by hosters) to modify routing such that messages will be relayed to third party antivirus gateway or service (such as EHS) for further processing before delivery to the recipient mailbox based on business logic implemented in the agent.
To do that, install Microsoft Forefront™ Security for Exchange (FSE) Server, implement a customized Hub agent on internal server and internal mailbox server. The agent must be registered for the OnResolvedMessage event, a public extensibility point made available in the categorizer pipeline. The OnResolvedMessage is a new event available only in Exchange 2007 Service Pack1. This event gets fired in between OnSubmittedMessage and OnRoutedMessage.
For intra-organization anti-spam implementation, it is in the customer agent. We cannot have the tenant granularity.
For more information about OnResolvedMessage Routing, see New Antivirus and Anti-Spam in Hosted Messaging and Collaboration version 4.5
Forefront™ Security for Exchange Deployment
Microsoft Forefront™ Security for Exchange (FSE) Server is an antivirus software package that is tightly integrated with Exchange 2007 and offers antivirus protection for the Exchange environment. Intra-tenant emails are scanned by FSE on the Hub server. When FSE detects messages that seem to contain a virus, the system deletes the message, generates a notification message, and sends the notification to the recipient's mailbox.
FSE is not installed on Hub server by default. It is out of the box as part of the Exchange server role install. It must be installed separately.
The following are the general deployment considerations.
Hub server will scan the messages if FSE is installed on the Hub server.
Store based scanning (with Exchange native APIs) is not necessary, and it is not recommended.
For more information about Forefront Security for Exchange Server, see Protecting Your Microsoft Exchange Organization with Microsoft Forefront Security for Exchange Server and Anti-Spam and Antivirus Functionality.
Hub Transport Server for External E-mail Routing
One newly created recipient may not receive e-mail messages for up to eight hours when you use an Exchange 2007 Edge Transport server in a Microsoft Solution for Hosted Messaging and Collaboration version 4.0 environment. For detailed description about the cause and the proposed solutions, see KB article 936159 [https://support.microsoft.com/kb/936159].
In that KB article, one proposal is changing the deployment architecture to put an external Hub out on the perimeter network to receive Internet mail. In Hosted Messaging and Collaboration version 4.5, an Internet-facing Hub Transport server is recommended to replace the previous Edge server.
The Edge Transport and Hub Transport servers have different default settings. The Hub Transport server is configured by default to be as secure as possible and does not accept mail from unauthenticated sources. To put it on the perimeter network, the server should be placed behind a firewall. A common configuration for a single Exchange server is to have Exchange sitting directly behind a NAT firewall or reverse proxy like ISA.
For more information on this topic and the various options available, see How to Configure Connectors for Internet Mail Flow.
The five main feature sets that need to consider are listed as follows.
Hub transport requires a connection to Active Directory. That means the perimeter network joins the domain, which provides security vulnerability.
The SMTP stream from the Internet tends to be full of spam. By putting Hub server on the perimeter network, internal servers need to filter spam. This additional workload need to be considered when internal email is mission critical.
Hub Transport rules are largely for compliance whereas Edge Transport rules are largely for hygiene. For more information about this topic, see Overview of Transport Rules.
Attachment filter protocol agent: the hub transport rules do have some attachment options, but the ability to scan the incoming MIME stream for malicious attachment types and reject at the protocol layer is not one of those features; this agent is not installed or supported on hub at the present time, however, anti-virus products like Microsoft Forefront often provide this functionality.
Address re-write agent: this agent generally is used by larger corporations that will have Edge servers and/or additional software that can perform this functionality.
By default, there is no anti-spam functionality enabled on the Hub Transport server. For antivirus and anti-spam on Hub Transport Server for external e-mail routing, see New Antivirus and Anti-Spam in Hosted Messaging and Collaboration version 4.5.
The following information’s target audience is service provider administrators.
Messaging Tracking in Exchange Server 2007
Message tracking log is one of the five logs in Exchange Server 2007 Service Pack 1. Message tracking records the Simple Mail Transfer Protocol (SMTP) transport activity of all messages that are transferred to and from an Exchange 2007 computer that has the Hub Transport, or Mailbox server role installed. Message tracking log can be utilized for message forensics, mail flow analysis, reporting, and troubleshooting. For more information about the the other four logs, see Managing Transport Logs.
Exchange servers that have the Client Access server role or Unified Messaging server role installed don't have message tracking logs.
Note that message tracking is not multi-tenant aware or enabled as it is not server based. That is, out of the box, the feature does not support having different messaging tracking levels for different tenants.
For more information about the cmdlets for message tracking configuration, the structure of the message tracking log files, the information inside the message tracking log file and security concerns of the Message tracking log, see Managing Message Tracking.
Configure Message Tracking
To modify the message tracking settings on a server that has both the Mailbox server role and the Hub Transport server role installed, use the Set-MailboxServer cmdlet or the Set-TransportServer cmdlet.
In Microsoft Exchange Server 2007 Service Pack 1, you can also use the Exchange Management Console on a Hub Transport server to enable or disable message tracking, and to specify the location of the message tracking log files.
For detailed procedures about how to configure messaging tacking, see How to Configure Message Tracking.
Search the Message Tracking Logs
In the release to manufacturing (RTM) version of Exchange 2007 and in Exchange 2007 Service Pack 1 (SP1), you can use the Get-MessageTrackingLog cmdlet in the Exchange Management Shell and the Message Tracking tool in the Exchange Management Console to search for entries in the message tracking logs by using specific search criteria.
In Exchange 2007 SP1, you can use the new Exchange Management Shell script named GetMessageTrackingLogE2EwithTime.ps1 to search for specific entries in all message tracking logs on all Hub Transport servers and Mailbox servers in the Exchange organization. This is useful when you want to track the complete end-to-end path of a message as it travels through the Exchange organization.