none
Hub Transport Vs Edge Transport

    Question

  • Hi,

    We have Two Hub Transport servers & one Edge Transport server.

    at Hub Transport servers the default receive connector ( DEFAULT BLOG-HUB1 & DEFAULT BLOG-HUB2 ) settings as follows.

    The RemoteIPRanges : {0.0.0.0-255.255.255.255} configured, is this correct or we need to Assign the EDGE Server IP ( 10.0.0.100 ) only ? because I have found that the normal users can telnet port 25 to Hub Transport Server and send ehlo message, which is vulnerable.

    Please see the settings and advise me for AuthMechanism, PermissionGroups & RemoteIPRanges.

     

    [PS] C:\Windows\system32>Get-ReceiveConnector "Default BLOG-HUB1" | fl

     

     

    RunspaceId                              : b4c1e711-91fd-4f9f-ad0b-cf49c28c9f69

    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer

    Banner                                  :

    BinaryMimeEnabled                       : True

    Bindings                                : {0.0.0.0:25}

    ChunkingEnabled                         : True

    DefaultDomain                           :

    DeliveryStatusNotificationEnabled       : True

    EightBitMimeEnabled                     : True

    BareLinefeedRejectionEnabled            : False

    DomainSecureEnabled                     : False

    EnhancedStatusCodesEnabled              : True

    LongAddressesEnabled                    : False

    OrarEnabled                             : False

    SuppressXAnonymousTls                   : False

    AdvertiseClientSettings                 : False

    Fqdn                                    : BLOG-HUB1.blog.com.sa

    Comment                                 :

    Enabled                                 : True

    ConnectionTimeout                       : 00:10:00

    ConnectionInactivityTimeout             : 00:05:00

    MessageRateLimit                        : unlimited

    MessageRateSource                       : IPAddress

    MaxInboundConnection                    : 5000

    MaxInboundConnectionPerSource           : unlimited

    MaxInboundConnectionPercentagePerSource : 100

    MaxHeaderSize                           : 64 KB (65,536 bytes)

    MaxHopCount                             : 30

    MaxLocalHopCount                        : 8

    MaxLogonFailures                        : 3

    MaxMessageSize                          : 10 MB (10,485,760 bytes)

    MaxProtocolErrors                       : 5

    MaxRecipientsPerMessage                 : 5000

    PermissionGroups                        : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers

    PipeliningEnabled                       : True

    ProtocolLoggingLevel                    : Verbose

    RemoteIPRanges                          : {0.0.0.0-255.255.255.255}

    RequireEHLODomain                       : False

    RequireTLS                              : False

    EnableAuthGSSAPI                        : False

    ExtendedProtectionPolicy                : None

    LiveCredentialEnabled                   : False

    TlsDomainCapabilities                   : {}

    Server                                  : BLOG-HUB1

    SizeEnabled                             : EnabledWithoutValue

    TarpitInterval                          : 00:00:00

    MaxAcknowledgementDelay                 : 00:00:30

    AdminDisplayName                        :

    ExchangeVersion                         : 0.1 (8.0.535.0)

    Name                                    : Default BLOG-HUB1

    DistinguishedName                       : CN=Default BLOG-HUB1,CN=SMTP Receive Connectors,CN=Protocols,CN=BLOG-HUB1,CN=Se

                                              rvers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Gr

                                              oups,CN=BLOG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=blog,DC=com,

                                              DC=sa

    Identity                                : BLOG-HUB1\Default BLOG-HUB1

    Guid                                    : 9d6b15a6-82ec-43f1-a41d-c707921b45f2

    ObjectCategory                          : blog.com.sa/Configuration/Schema/ms-Exch-Smtp-Receive-Connector

    ObjectClass                             : {top, msExchSmtpReceiveConnector}

    WhenChanged                             : 1/8/2011 8:01:26 AM

    WhenCreated                             : 8/29/2010 4:21:57 PM

    WhenChangedUTC                          : 1/8/2011 5:01:26 AM

    WhenCreatedUTC                          : 8/29/2010 1:21:57 PM

    OrganizationId                          :

    OriginatingServer                       : blog-ad1.blog.com.sa

    IsValid                                 : True

     

    [PS] C:\Windows\system32>Get-ReceiveConnector "Default BLOG-HUB2" |fl

     

     

    RunspaceId                              : f1de92f6-0911-4a9f-a16f-5e29d54f4306

    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer

    Banner                                  :

    BinaryMimeEnabled                       : True

    Bindings                                : {0.0.0.0:25}

    ChunkingEnabled                         : True

    DefaultDomain                           :

    DeliveryStatusNotificationEnabled       : True

    EightBitMimeEnabled                     : True

    BareLinefeedRejectionEnabled            : False

    DomainSecureEnabled                     : False

    EnhancedStatusCodesEnabled              : True

    LongAddressesEnabled                    : False

    OrarEnabled                             : False

    SuppressXAnonymousTls                   : False

    AdvertiseClientSettings                 : False

    Fqdn                                    : BLOG-HUB2.blog.com.sa

    Comment                                 :

    Enabled                                 : True

    ConnectionTimeout                       : 00:10:00

    ConnectionInactivityTimeout             : 00:05:00

    MessageRateLimit                        : unlimited

    MessageRateSource                       : IPAddress

    MaxInboundConnection                    : 5000

    MaxInboundConnectionPerSource           : unlimited

    MaxInboundConnectionPercentagePerSource : 100

    MaxHeaderSize                           : 64 KB (65,536 bytes)

    MaxHopCount                             : 30

    MaxLocalHopCount                        : 8

    MaxLogonFailures                        : 3

    MaxMessageSize                          : 10 MB (10,485,760 bytes)

    MaxProtocolErrors                       : 5

    MaxRecipientsPerMessage                 : 5000

    PermissionGroups                        : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers

    PipeliningEnabled                       : True

    ProtocolLoggingLevel                    : Verbose

    RemoteIPRanges                          : {0.0.0.0-255.255.255.255}

    RequireEHLODomain                       : False

    RequireTLS                              : False

    EnableAuthGSSAPI                        : False

    ExtendedProtectionPolicy                : None

    LiveCredentialEnabled                   : False

    TlsDomainCapabilities                   : {}

    Server                                  : BLOG-HUB2

    SizeEnabled                             : EnabledWithoutValue

    TarpitInterval                          : 00:00:05

    MaxAcknowledgementDelay                 : 00:00:30

    AdminDisplayName                        :

    ExchangeVersion                         : 0.1 (8.0.535.0)

    Name                                    : Default BLOG-HUB2

    DistinguishedName                       : CN=Default BLOG-HUB2,CN=SMTP Receive Connectors,CN=Protocols,CN=BLOG-HUB2,CN=Se

                                              rvers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Gr

                                              oups,CN=BLOG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=blog,DC=com,

                                              DC=sa

    Identity                                : BLOG-HUB2\Default BLOG-HUB2

    Guid                                    : 689da559-79eb-41be-bc71-c3de2be3bfe9

    ObjectCategory                          : blog.com.sa/Configuration/Schema/ms-Exch-Smtp-Receive-Connector

    ObjectClass                             : {top, msExchSmtpReceiveConnector}

    WhenChanged                             : 1/8/2011 8:01:38 AM

    WhenCreated                             : 8/30/2010 12:26:30 PM

    WhenChangedUTC                          : 1/8/2011 5:01:38 AM

    WhenCreatedUTC                          : 8/30/2010 9:26:30 AM

    OrganizationId                          :

    OriginatingServer                       : BLOG-DC1-AD2.blog.com.sa

    IsValid                                 : True

     

    Thanks in Advanced.


    Regards, Amjuu-Anu ..
    Monday, January 10, 2011 1:08 PM

Answers

  • Hi,

    You can set the Receive Connector only receive the email from the Edge server via the Remote IP address, that is feasible.

    Thanks

    Allen


    Allen Song
    Friday, January 14, 2011 7:30 AM
    Moderator
  • Yes you can - if you are not allowing any direct SMTP sesions from any of the internal App, outlook express or any other clinets which all use SMTP
    Best Rgds, Ashish | Unified Comunication | MCTS | MCITP | Please remember to select option "Propose As Answer" if solution work for you | My posts hold no assurances, no promises, and they measured no rights.
    Sunday, January 16, 2011 12:03 PM

All replies

  • users can telnet to the HUB but this is blocked from your firewall, only users can telnet from external network to the edge server, or you are talking about internal users
    Regards, Mahmoud Magdy Watch Arabic Level 300 Videos about Exchange 2010 here: http://vimeo.com/user3271816 Read pretty advanced Exchange stuff I post here: http://www.enowconsulting.com/ese/blog.asp, follow my blog: http://autodiscover.wordpress.com , corp blog: http://ingazat.wordpress.com, Follow me on twitter http://www.twitter.com/_busbar and if you Liked my post please mark it as helpful and accept it as an answer
    Monday, January 10, 2011 1:13 PM
  • Please let us know are you planning for edge synchronization or without. Usually edge synchronization will set all things for you.


    Best Rgds, Ashish | Unified Comunication | MCTS | MCITP | Please remember to select option "Propose As Answer" if solution work for you | My posts hold no assurances, no promises, and they measured no rights.
    Monday, January 10, 2011 3:02 PM
  • I'm talking about Internal Users are able Telnet BLOG-HUB1 25 from command prompt and opened SMTP Port or session and sent message.
    Regards, Amjuu-Anu ..
    Monday, January 10, 2011 6:25 PM
  • The whole setup already done couple of months ago with edge synchronization and everything is working fine but fortunately I found today that the normal internal user can telnet port 25 to hub transport and opened SMTP session & sent messages.

    We never opened any SMTP ports for normal users.

    How about the Remote IP range which I shown above , I suspect that we need to assign the particular edge transport IP only as long as the hub will talk to edge only for port 25.

    OR

    Does the Hub Transport will talk to MS Outlook Clients with port 25 ?

     

     


    Regards, Amjuu-Anu ..
    Monday, January 10, 2011 6:37 PM
  • It depends on the configuration of HUB receive connector, if anonymous users permissons are there then any user telnet and send message. However if you want to stop sending messages through telnet please disable Telnet service on exchage HUB Box. This shoudl be part of server hardning.

    For MAPI sessions you don't need SMTP receive connector - it is require for outlook express clients as they all use SMTP connections.

    Range also depends on need, from where all you want connections to allow - you specify the range.


    Best Rgds, Ashish | Unified Comunication | MCTS | MCITP | Please remember to select option "Propose As Answer" if solution work for you | My posts hold no assurances, no promises, and they measured no rights.
    Monday, January 10, 2011 7:52 PM
  • you can setup the firewall just to block port 25 to internal users
    Regards, Mahmoud Magdy Watch Arabic Level 300 Videos about Exchange 2010 here: http://vimeo.com/user3271816 Read pretty advanced Exchange stuff I post here: http://www.enowconsulting.com/ese/blog.asp, follow my blog: http://autodiscover.wordpress.com , corp blog: http://ingazat.wordpress.com, Follow me on twitter http://www.twitter.com/_busbar and if you Liked my post please mark it as helpful and accept it as an answer
    Tuesday, January 11, 2011 7:06 AM
  • Hi,

    You can set the Receive Connector only receive the email from the Edge server via the Remote IP address, that is feasible.

    Thanks

    Allen


    Allen Song
    Friday, January 14, 2011 7:30 AM
    Moderator
  • Hi Allen,

    we have two Hub Transport Servers & One Edge Server , can I set the IP of Edge to Both Transport Servers ( Receive Connector )?

    Please let me know , Thanks.


    Regards, Amjuu-Anu ..
    Saturday, January 15, 2011 5:19 AM
  • Hi Amjuu,

    PermissionGroups                        : AnonymousUsers, ExchangeUsers, ExchangeServers,

    Its lookin that you have enable authentication for "Anonymous users" in default receive connector , so internal users can send mail thru HUB server, but if thry will try to send mail to external domain then they ca not send it.

    Secondly, You can add EDGE IP address in receive connector which is created after EDGE synch, or created manually.


    Anil
    Saturday, January 15, 2011 6:40 AM
  • Hi Anil,

    As per Ashish Sharma-UC's post, Today I have removed "Anonymous users" authentication from Permissions Group at Default Receive Connector ( Hub1 & Hub2 ) , it seems OK , meaning I can send and receive Internal and external.

    And Normal users cannot telnet to Hub Transport Servers which I need it.

    Still I never change the Remote IP of Edge to Hub Transport Servers "Default Receive Connector".

    Can I add or set Edge IP to Both Hub Transport Servers " Default Receive Connector " ? Right ???

     


    Regards, Amjuu-Anu ..
    Saturday, January 15, 2011 2:01 PM
  • If there is Edge syncronization in place then need not to - if it is manually configured then yes you should add them.
    Best Rgds, Ashish | Unified Comunication | MCTS | MCITP | Please remember to select option "Propose As Answer" if solution work for you | My posts hold no assurances, no promises, and they measured no rights.
    Saturday, January 15, 2011 4:43 PM
  • Yes It is Edge Synchronization in place ( already synchronized with Hub Transport Servers ). what do U mean by manual configuration . ?
    Regards, Amjuu-Anu ..
    Saturday, January 15, 2011 4:50 PM
  • then there shoudl be need of adding Edge IP's at receive connectors - edge syncronization should have all info.

    Few customer do all connector configuration manually - they dont want to expose anything to Edge or they already have some other 3rd party app in place.


    Best Rgds, Ashish | Unified Comunication | MCTS | MCITP | Please remember to select option "Propose As Answer" if solution work for you | My posts hold no assurances, no promises, and they measured no rights.
    Saturday, January 15, 2011 5:16 PM
  • So can I set or add edge IP ( 10.0.0.100 ) to Both Hub Transport Servers " Default Receive Connectors"  ??? instead of {0.0.0.0-255.255.255.255} .

    Please have a look my first thread and advise.

    Thanks a lot.

     


    Regards, Amjuu-Anu ..
    Saturday, January 15, 2011 5:52 PM
  • Yes you can - if you are not allowing any direct SMTP sesions from any of the internal App, outlook express or any other clinets which all use SMTP
    Best Rgds, Ashish | Unified Comunication | MCTS | MCITP | Please remember to select option "Propose As Answer" if solution work for you | My posts hold no assurances, no promises, and they measured no rights.
    Sunday, January 16, 2011 12:03 PM
  • Dear All,

    Thank U Very Much


    Regards, Amjuu-Anu ..
    Sunday, January 16, 2011 3:05 PM