0
务实技术讲座系列务实技术讲座系列
如何部署如何部署 Exchange 2000Exchange 2000
和和 ISA 2000ISA 2000 构建应用构建应用
内容安排内容安排
 ADAD 和和 exchange 2000exchange 2000
 网络设计网络设计
 连接连接 InternetInternet
 安全安全
Active DirectoryActive Directory 在企业中在企业中
域和域和 OUsOUs 组成层组成层
次化管理结构次化管理结构
多个域可以组成多个域可以组成
 树树 -Trees-Trees
 森林森林 -Fores...
Active Directory SchemaActive Directory Schema
ObjectObject
Class ExamplesClass Examples
ObjectObject
Class ExamplesClass ...
域域 -Domains-Domains
一个域是个安全边界一个域是个安全边界
 一个域的管理员只能管理本域内的资源一个域的管理员只能管理本域内的资源 ,, 除非除非
明确被其他域授权明确被其他域授权
一个域是一个复制的单元一个域是一个复制...
Global CatalogGlobal Catalog
Global Catalog Server
Global CatalogGlobal CatalogGlobal CatalogGlobal Catalog
Subset of the
...
站点结构站点结构
Sites:
 优化复制通信量
 让用户能够通过一个稳定的,高速的连接登录
到一个域控制器
Site
IP subnetIP subnetIP subnetIP subnet
IP subnetIP subnetIP su...
站点拓扑结构举例站点拓扑结构举例
Domain A Domain B
Site 1 Site 2Site Link
Domain A Domain B
Site 2
Site 1
Site Link
1 2
3 4
Active DirectoryActive Directory 森林森林
Exchange
2000
组织
contoso.msft
nwtraders.msft
samerica.nwtraders.msft
Exchange
2000
组...
存放存放 Exchange 2000 DataExchange 2000 Data 数据数据
Users ComputersGroups
Domain
Partition
Configuration
Partition Exchange
Con...
Active DirectoryActive Directory 数据库大小数据库大小
Active
Directory
425 MB
Active
Directory
345 MB
Active
Directory
110 MB
Active...
User Principle NamesUser Principle Names
Tree
nwtraders.msft
namerica.nwtraders.msft samerica.nwtraders.msft
UPN=Joeb@nwtr...
Exchange
2000
Global
Catalog
Domain
Controller
Global
Catalog
Windows
2000 Site 2
Domain
Controller
Windows
2000 Site 1
Gl...
发现和定义发现和定义 Directory Service ServersDirectory Service Servers
Cache List
1. Domain Controller 1
2. Domain Controller 2
3. ...
Exchange 2000Exchange 2000 和和 ADAD 站点设站点设
计计
 Windows 2000Windows 2000 站点不影响站点不影响 ExchangeExchange
20002000
 ExchangeExc...
服务定位服务定位
 用户端需要下列服务用户端需要下列服务
 DNSDNS
 Domain ControllerDomain Controller
 Global CatalogGlobal Catalog
DNSDNS 和和 Active DirectoryActive Directory
 用户端使用用户端使用 DNSDNS 定位定位 Active DirectoryActive Directory
servicesservices
 Ac...
Domain ControllerDomain Controller 放置放置
 Windows 2000Windows 2000 用户访问基于用户访问基于
Active DirectoryActive Directory 站点站点
 每个...
Global Catalog ServerGlobal Catalog Server 放置放置
 ExchangeExchange 用户端使用用户端使用 GCGC 定位定位
Exchange Directory ServicesExchang...
网络设计网络设计
网络状况网络状况
远程用户
本地网
分公司
InternetInternet 范围范围
典型网络分布典型网络分布
成都成都
广州广州
InternetInternet
北京北京
上海上海
InternetInternet
2M2M
1M1M
15001500 人人
500500 人人
500500 人人
5050 人人
部署部署 AD-AD- 多域多域
成都成都
广州广州
InternetInternet
北京北京
上海上海
InternetInternet
OUOU
北京北京
上海上海
域
广州广州
OUOU
成都
ABC.NETABC.NET
CD.ABC...
服务器放置服务器放置
成都成都
广州广州
InternetInternet
北京北京
上海上海
InternetInternet
2M2M
1M1M
BJDCGC01BJDCGC01
BJDC02BJDC02 SHDCGC01SHDCGC01
...
服务器配置服务器配置
 域控制器域控制器
 P3 500, 1GP3 500, 1G 内存内存
 磁盘磁盘 11 个个 18G –18G – 系统系统
 邮件服务器邮件服务器
 磁盘磁盘 11 个个 18G –18G – 系统,系统,...
网络连接网络连接
 AD Site link –AD Site link – 站点连接站点连接
 BJ ----- SHBJ ----- SH
 BJ ----- GZBJ ----- GZ
 SH ----- GZSH ----- G...
系统安装系统安装
 11 、 北京安装、 北京安装 ADAD
 22 、 上海广州、 上海广州 ,, 建立站点连接建立站点连接
 33 、、 e2ke2k
 44 、 北京成都建立、 北京成都建立 VPNVPN
 55 、 成都安装、...
站点连接站点连接
成都成都
广州广州
InternetInternet
北京北京
上海上海
InternetInternet
BJ_SH , Cost 10BJ_SH , Cost 10
BJ_GZBJ_GZ
Cost:10Cost:10 SH...
安装安装 Exchange 2000Exchange 2000
First server
in the forest
Forest
Setup /forestprepSetup /forestprep
Windows 2000
ConfigCo...
安装安装 Exchange 2000Exchange 2000
Setup /forestprepSetup /forestprep
Windows 2000
Domain Controller
InstallInstallInstallIns...
通过通过 VPNVPN 建立请求拨号连接建立请求拨号连接
Calling Router VPN Router
Internet
Intranet HQ
ISP ISP
VPN Tunnel
成都 北京
请求拨号路由请求拨号路由
请求拨号路由请求拨号路由
请求拨号路由请求拨号路由
请求拨号路由请求拨号路由
请求拨号路由请求拨号路由
请求拨号路由请求拨号路由
请求拨号路由请求拨号路由
计划路由组计划路由组
服务器必须属于同一个 Active Directory directory service
forest
服务器彼此之间必须永久连接
路由组内的所有服务器必须能够连接到 routing group
master
在一个路由...
路由组路由组
成都成都
广州广州
InternetInternet
北京北京
上海上海
InternetInternet
BJ_SH , Cost 100BJ_SH , Cost 100
BJ_GZBJ_GZ
Cost:100Cost:100 ...
创建和配置存储组创建和配置存储组
ESEESE
TransactionLogTransactionLog
Store
Reserved
Store
Store
Store
Store
Storage Group A Storage Group ...
文件放置文件放置
系统分区和启动分区系统分区和启动分区
Mirror Set
C:
Storage Group 1
Transaction Logs
Storage Group 1
Transaction Logs
Mirror Set
E:
...
备份恢复备份恢复
 http://www.microsoft.com/Ehttp://www.microsoft.com/E
xchange/techinfo/deploymexchange/techinfo/deployme
nt/2000...
Connect Exchange 2000 toConnect Exchange 2000 to
InternetInternet
ServerServer
InternetInternet
DNSDNS
.msft
nwtraders
MX 10 SMTP1.nwtraders.msft
MX 20 SMTP2.nwtraders.msft
MX 30 SMTP3.nwtraders.msft
DNSDNS
.msft
nwtra...
ISAISA
InternetInternet
部署防火墙部署防火墙 -- 小型网络或分公司的配置小型网络或分公司的配置
企 部网业內 络企 部网业內 络
 访问策略规则访问策略规则 -- IPIP 封包封包 ,, 应应 用程式用程式 ,, ...
蜂巢式安全防护体系蜂巢式安全防护体系
内部防火墙内部防火墙
中央监控服务器中央监控服务器
InternetInternet
中央管理服务器中央管理服务器
对外防火墙对外防火墙
内部防火墙内部防火墙
配置内部邮件路由到配置内部邮件路由到 internetinternet
 制定北京的一台服务器作为制定北京的一台服务器作为 SMTPSMTP 桥头桥头
堡连接到防火墙的内部堡连接到防火墙的内部 IPIP 地址地址
 上海、广州和北京的另一台...
Secure SMTP ServerSecure SMTP Server
 Secure relaySecure relay
settingssettings
 Best Practice:Best Practice:
Default se...
ISA ServerISA Server 配置配置
HTTPS (SSL)HTTPS (SSL)
 映射的协议映射的协议 : “HTTPS server”: “HTTPS server”
 ISA Server listens on 443...
ISA ServerISA Server 配置配置
HTTPS (SSL) — SecurityHTTPS (SSL) — Security
 如果要求监测如果要求监测 ??
 使用使用 WebWeb 发布发布
 ISA ServerIS...
ISA ServerISA Server 配置配置
SMTPSMTP
 映射的协议映射的协议 : “SMTP Server”: “SMTP Server”
 典型典型 ISA ServerISA Server 反向代理方式反向代理方式
 ...
保证保证 Exchange ServerExchange Server 安安
全全
Exchange
Server
ProtocolProtocol SourceSource DestinatioDestinatio
nn
PortPort
A...
Front end/Back EndFront end/Back End
FirewallFirewall
Open Ports:Open Ports:
443, 993, 995443, 993, 995
Exchange 2000Excha...
使用使用 DMZDMZ
FirewallFirewall
OpenOpen
Ports:Ports:
443, 993,443, 993,
995995
ExchangeExchange
20002000
Front-EndFront-End
...
保证服务器之间安全保证服务器之间安全 -- 验证验证
 服务器和服务器自动使用服务器和服务器自动使用 X-EXPSX-EXPS 验验
证证
 Kerberos/NTLMKerberos/NTLM
 缺省缺省 SMTPSMTP 协议扩充与协...
保证服务器之间安全保证服务器之间安全 -- 加密加密
 IPSecIPSec
 定义不同的定义不同的 IPSec filtersIPSec filters
 最简单的配置最简单的配置
 使用组策略可以使所有的使用组策略可以使所有的 Ex...
配置配置 ISAISA 防毒防毒
 防止防止 Nimda WormNimda Worm
http://www.microsoft.com/technet/treeviewhttp://www.microsoft.com/technet/tre...
Information StoreInformation Store 方案方案
 存储事件存储事件
 在存储内当一个条目打开,保存,移动或删除时会触发在存储内当一个条目打开,保存,移动或删除时会触发
 事件类型事件类型
 同步 – 当事...
传输方案传输方案
 整理公开中继整理公开中继 Fix open relaysFix open relays
 SMTP Relay ParametersSMTP Relay Parameters
 邮件过滤邮件过滤 -Filter Mai...
桌面防毒桌面防毒
 Windows andWindows and 浏览器浏览器
 下载最新的补丁下载最新的补丁
 定制浏览器的安全区域选项定制浏览器的安全区域选项
 OutlookOutlook 安全安全
 Outlook 98 / ...
务实技术讲座系列
务实技术讲座系列
Upcoming SlideShare
Loading in...5
×

务实技术讲座系列

578

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
578
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Good afternoon.
    This is TechNet Session 1:
    Next slide
  • Active Directory stores data for Exchange 2000 in partitions, which are also referred to as naming contexts. Active Directory uses naming contexts to define the boundaries for information that is stored within the database. The information that is stored in Active Directory on every domain controller in the forest is partitioned into three categories: domain, configuration, and schema. All Active Directory partitions are stored on domain controllers. You will be able to design your Exchange 2000 organization more effectively if you understand where Active Directory stores each type of information.
    Domain Partition
    The Active Directory domain partition contains all of the objects (such as users, groups, contacts, and computers) in the directory for the domain. Exchange recipients are Active Directory objects that have been included in the Exchange 2000 organization. Active Directory users, groups, and contacts can all be Exchange 2000 recipients.
    Windows 2000 replicates domain configuration data in each domain to every domain controller in that domain, but not beyond that domain.
    Configuration Partition
    The Active Directory configuration partition contains the Exchange 2000 organization configuration. The configuration partition defines the topology, connectors, protocols, and service settings of the Exchange 2000 organization. Because Active Directory replicates the configuration partition across all domains in the forest, the configuration of the Exchange 2000 organization is replicated throughout the forest.
    Schema Partition
    The Active Directory schema partition contains all object types that can be created in Active Directory, as well as all attributes of such objects. This data is common to all domains in the forest, and is replicated by Active Directory to all domain controllers throughout the forest.
    Key PointsThe Active Directory schema is extended with new attributes for Exchange 2000—attributes that have names that start with ms-Exch.Delivery TipUse ADSI Edit to show the students the various Active Directory partitions.During the installation in the Active Directory forest of the first computer running Exchange 2000, the Active Directory schema is extended with new attributes for Exchange 2000—attributes that have names that start with ms‑Exch. The schema is extended by using LDAP Directory Interchange Format (LDIF) files. You can examine which attributes have been added to Active Directory by viewing the LDIP files on the Exchange 2000 compact disc.
    NoteInstalling the first computer running Exchange 2000 only extends the Active Directory schema if you have not already run /forestprep. You can view the Active Directory partitions by using Active Directory Service Interface (ADSI) Edit, which is included in the Windows 2000 support t
  • If you add 50,000 non-mail-enabled users to this new Active Directory database, the database will grow to approximately 345 MB, or 6K per user.
    If you mail-enable those 50,000 users, the Active Directory database will grow to approximately 425 MB, or 7K per user.
  • When designing an Exchange 2000 organization, you can design user principle names (UPNs) to alleviate any confusion that might be generated by differences between the domain namespace and the e-mail namespace. Typically, administrators use a single user principle name suffix for each forest.
    Designing a Single User Principle Name Suffix
    Consider creating and assigning a single user principle name suffix as the default for all users. For example, as shown in the illustration on this page, you can create and assign a user principle name suffix of @nwtraders.msft as the default for all users. Making the user principle name the same as the SMTP address provides users with a single namespace that they can use for logging on to the network and for gaining access to e-mail.
    Separating User Principle Names From the Mail Namespace
    An organization might want to separate user principle names from the namespace that is used for e-mail. Separating user principle names from Internet e-mail addresses increases security by not affiliating user names with publicly known e-mail addresses.
    NoteUPNs must be unique across the entire forest.
  • DSAccess uses one common set of commands to access the Active Directory. Exchange 2000 queries Active Directory for both user and configuration information. The most important part of DSAccess is the shared cache, which caches search results between different services in Exchange 2000.
    Global Catalog Access
    For access to the global catalog, DSAccess first queries the Windows 2000 site to which the server running Exchange 2000 belongs. If all global catalog servers in that site are unavailable, DSAccess queries other sites.
    Domain Controller Access
    For access to a domain controller, DSAccess first queries domain controllers within the same site and domain as the server running Exchange 2000. If no such domain controller is available, DSAccess queries domain controllers outside the site but still within the same domain. If more than one domain controller is available, DSAccess selects one by using the round-robin method. If the desired information is not stored on one of the domain controllers, DSAccess makes a Domain Name System (DNS) query for the nearest global catalog server and then requests the information again.
  • During initialization, DSAccess dynamically detects available directory service servers within the domain, unless you manually configure static entries. There are two kinds of detection algorithms, one for domain controllers and one for global catalog servers.
    Detecting Domain Controllers
    DSAccess uses DNS to provide a list of all of the domain controllers in the local domain and the local Active Directory site. DSAccess saves up to ten domain controller names in its cache; it load balances the usage of these domain controllers in a round robin fashion.
    Detecting Global Catalog Servers
    Global catalog server detection is different from traditional service detection. To detect global catalog servers, DSAccess uses the Lightweight Directory Access Protocol (LDAP) connection to the domain controller that DSAccess is currently bound to. On the domain controller, DSAccess reads the Options attribute of the Microsoft Windows NT® Directory Service Settings object for each directory service server, if any, in the site that contains the server running Exchange 2000. DSAccess detects which of the listed domain controllers are also global catalog servers. The global catalog servers are added to the DSAccess profile, and load balancing takes place.
    If DSAccess does not find any global catalog servers in the local domain and site, a remote global catalog server is selected. Using a global catalog server in a remote site is not an optimal solution, however, because the global catalog servers in other Active Directory sites may be located across slow links and may not be load balanced.
    DSAccess performs a full network redetection whenever either the Kerberos version 5 authentication protocol ticket times out (there is a default period of 10 hours) or a configuration change is made, such as the addition of a new domain controller or global catalog server.
    Defining Domain Controllers and Servers
    The DSAccess process communicates with Active Directory servers to look up information in the address book and to read configuration data. You can configure DSAccess to send directory queries to specific Active Directory domain controllers and servers.
    DSAccess contacts an Active Directory server by making a DNS query. You can require a server running Exchange 2000 to always use the same Active Directory server by changing the registry settings.
    If you manually configure global catalog servers, but do not specify domain controllers in the registry, DSAccess dynamically detects and uses any available domain controller. Similarly, if you manually configure domain controllers but do not specify any global catalog servers in the registry, DSAccess dynamically detects and uses any available global catalog servers.
    The following registry keys are required to statically configure domain controller and global catalog servers for use by DSAccess. Multiple domain controllers and global catalog servers can be specified for load balancing, but only one Configuration-Context Domain Controller can be configured.
    User-Context Domain Controller
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeDSAccess\Profiles\Default\UserDC1 (UserDC2, and so on) IsGC = REG_DWORD 0x0HostName = REG_SZ DC_ComputerName.DomainName.comPortNumber = REG_DWORD (0x185 by default or 0x27C for SSL)
    User-Context Global Catalog Server
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeDSAccess\Profiles\Default\UserGC1 (UserGC2 and so on)IsGC = REG_DWORD 0x1HostName = REG_SZ GC_ComputerName.DomainName.comPortNumber = REG_DWORD (0xCC4 by default or 0xCC5 for SSL)
    Configuration-Context Domain Controller
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeDSAccess\Instance0ConfigDCHostName = REG_SZ configDC_ComputerName.DomainName.comConfigDCPortNumber = REG_DWORD (0x185 by default or 0x27C for SSL)
    ImportantIf these registry entries are configured so that a server running Exchange 2000 only queries specific domain controllers and global catalog servers, that server running Exchange 2000 will no longer dynamically detect domain controllers and global catalogs. This means that if none of the servers in a specific list are working, Exchange 2000 will be unable to perform any directory lookups.
  • In order to plan DNS server deployment to support your Active Directory domains, you must identify the DNS servers that will be authoritative for your domain names, and ensure they meet the requirements of the domain controller locator system.
    Authority and Delegation in DNS
    The Domain Name Service is a hierarchical, distributed database. The database itself consists of resource records, which primarily consist of a DNS name, a record type, and data values that are associated with that record type. For example, the most common records in the DNS database are Address (A) records, where the name of an Address record is the name of a computer, and the data in the record is the TCP/IP address of that computer.
    Like Active Directory, the DNS database is divided into partitions that enable the database to scale efficiently even on very large networks. A partition of the DNS database is called a zone. A zone contains the records for a contiguous set of DNS names. A DNS server that loads a zone is said to be authoritative for the names in that zone.
    A zone begins at a specified name and ends at a delegation point. A delegation point indicates where one zone ends and another zone begins. For example, there is a registration authority on the Internet that is responsible for the zone called “com.” Inside this zone are thousands of delegation points to other zones, for example, reskit.com. The data in a delegation point indicates which servers are authoritative for the delegated zone. Figure 9.10 shows the relationship among DNS servers, zones, and delegations.
    The Domain Controller Locator System
    Domain controllers register a set of records in DNS. These records are collectively called the locator records. When a client requires a particular service from a domain, it sends a query for a specific name and type of record to the nearest DNS server. The answer is a list of domain controllers that can satisfy the request.
    The names of the locator records for each domain end in <DNS-domain-name> and <DNS-forest-name>. The DNS servers that are authoritative for each <DNS-domain-name> are authoritative for the locator records.
     
    Note
    Windows 2000 does not require reverse lookup zones to be configured. Reverse lookup zones maybe be necessary for other applications, or for administrative convenience.
     
    DNS Server Requirements
    If you do not already have DNS servers running on your network, it is recommended that you deploy the DNS service that is provided with Windows 2000 Server. If you have existing DNS servers, then the servers that are authoritative for the locator records must meet the following requirements to support Active Directory:
    Must support the Service Location Record.
    The DNS servers that are authoritative for the locator records must support the Service Location (SRV) resource record type. For more information about the SRV record, see “Windows 2000 DNS” in the Microsoft® Windows® 2000 Server Resource Kit TCP/IP Core Networking Guide.
    Should support the Dynamic Update Protocol.
    The DNS servers that are authoritative for the locator records and are the primary master servers for those zones should support the Dynamic Update Protocol as defined in RFC 2136.
     
    The DNS service provided with Windows 2000 Server meets both these requirements and also offers two important additional features:
    Active Directory Integration
    Using this feature, the Windows 2000 DNS service stores zone data in the directory. This makes DNS replication multi-master, and it allows any DNS server to accept updates for a directory service-integrated zone. Using Active Directory integration also reduces the need to maintain a separate DNS zone transfer replication topology.
    Secure Dynamic Update
    Secure dynamic update is integrated with Windows security. It allows an administrator to precisely control which computers can update which names, and it prevents unauthorized computers from stealing existing names out of DNS.
     
    The remaining DNS servers on your network that are not authoritative for the locator records do not need to meet these requirements. Servers that are not authoritative are generally able to answer SRV record queries even if they do not explicitly support that record type.
    Placement strategy
    The availability of DNS directly affects the availability of Active Directory. Client computers rely on DNS to be able to find a domain controller, and domain controllers rely on DNS in order to find other domain controllers. Even if you already have DNS servers deployed on your network today, you might need to adjust the number and placement of servers to meet the needs of your Active Directory clients and domain controllers.
    As a general rule, place at least one DNS server in every site. The DNS servers in the site should be authoritative for the locator records of the domains in the site, so that clients do not need to query DNS servers off-site to locate domain controllers that are in a site. Domain controllers will also periodically verify that the entries on the primary master server for each locator record are correct.
    A simple configuration that satisfies all requirements is to use Active Directory-integrated DNS, store the locator records for a domain within the domain itself, and run the Windows 2000 DNS service on one or more domain controllers for each site where those domain controllers appear.
    Distributing the Forest Wide Locator Records
    Each domain controller in the forest registers two sets of locator records: a set of domain-specific records that end in <DNS-domain-name>, and a set of forest-wide records that end in _msdcs.<DNS-forest-name>. The forest-wide records are interesting to clients and domain controllers from all parts of the forest. For example, the global catalog locator records, and the records used by the replication system to locate replication partners, are included in the forest-wide records.
    In order for any two domain controllers to replicate between each other, including two domain controllers from the same domain, they must be able to look up forest-wide locator records. In order for a newly created domain controller to participate in replication, it must be able to register its forest-wide records in DNS, and other domain controllers must be able to look up these records. For this reason, it is important to make the forest-wide locator records available to every DNS server in every site.
    To do this, create a separate zone called _msdcs.<DNS-forest-name>, and replicate that zone to every DNS server. If you are using the simple Active Directory-integrated configuration, you can place the primary copy of this zone in the forest root domain along with the <DNS-forest-name> zone. You can then replicate the zone to DNS servers outside the domain using standard DNS replication.
    Generally, it is not sufficient to replicate the zone to only one DNS server per site. If a DNS server does not have a local copy of the _msdcs.<DNS-forest-name> zone, it must use DNS recursion to look up a name in that zone. In order for a DNS server to perform recursion, it contacts a DNS server that is authoritative for the root of the namespace (a DNS root server) and walks down the delegations in DNS until it finds the record in question. If there is no DNS root server in a site, and the links between that site and other sites are down, a DNS server will not be able to perform recursion. Thus, it will not be able to find any DNS servers that are authoritative for _msdcs.<DNS-forest-name>, even if those DNS servers are in the same site.
    DNS Client Configuration
    Client computers and domain controllers should be configured with at least two DNS server IP addresses: a preferred local server, and an alternate server. The alternate server can be in the local site, or it can be remote if you trust your network to handle the failover.
  • The location of servers on your site topology has a direct effect on the availability of Active Directory. During the physical partitioning exercise of the domain plan, you created a basic plan for domain controller placement. By placing servers onto the site topology, you will complete the details of this plan.
    Placing Additional Domain Controllers
    During the partitioning exercise, you decided which sites would have domain controllers for each domain, but you did not decide on the number of domain controllers that would be placed in each site for each domain. The number of domain controllers you will create for a given domain is driven by two factors: fault tolerance requirements and load distribution requirements.
    For each domain, use the following guidelines to determine if more domain controllers are necessary:
    Always create at least two domain controllers.
    Even for small domains with small user populations, create at least two domain controllers so that there is no single point of failure for the domain.
    For each site that contains a single domain controller, decide if you trust the WAN for failover.
    Should the single domain controller fail, clients in the site can be serviced by other domain controllers for that domain that are located in other sites. If network connectivity is unreliable or intermittently available, you might not want to trust the network to handle failover. In that case, place a second domain controller for that domain into the site.
    Place additional domain controllers for a domain into a site to handle the client workload.
    The number of client computers that a particular server can handle depends on the workload characteristics and the hardware configuration of the server. Client computers randomly select from the available domain controllers in a site to distribute client load evenly.
  • The availability of global catalog servers is crucial to the operation of the directory. For example, a global catalog server must be available when processing a user log on request for a native mode domain, or when a user logs on with a user principal name.
     
    Note
    When processing a log on request for a user in a native mode domain, a domain controller sends a query to a global catalog server to determine the user’s universal group memberships. Since groups can be explicitly denied access to a resource, complete knowledge of a user’s group memberships are necessary to enforce access control correctly. If a domain controller of a native mode domain cannot contact a global catalog server when a user wants to log on, the domain controller will refuse the log on request.
     
    As a general rule, designate at least one domain controller in each site as a global catalog server.
    Use the same failover and load distribution rules that you used for individual domain controllers to determine whether additional global catalog servers are necessary in each site.
     
    Note
    In a single domain environment, global catalog servers are not required to process a user log on request. However, you should still designate global catalog servers using the suggested process. Client computers still seek global catalog servers for search operations. Also, having global catalog servers already in place allows the system to adapt gracefully if you add more domains later.
  • Fixed. Have Bill review.
  • 我们的解决方案在内部安全设计上采用内部区域隔离的设计方式,不同的地理位置上的局域网活着我们可以把它看作一个“蜂窝状”结构
  • KEY MESSAGE: Explain the use of the HTTPS rule.
    SLIDE BUILDS: None
    SLIDE SCRIPT:
    The HTTPS rule handles SSL traffic. The mapped protocol that you use in the publishing rule is HTTPS Server, which causes ISA Server to listen on TCP port 443. ISA Server receives inbound traffic on this port. It then regenerates new packets and forwards them to the OWA Servers. Using server publishing for this task preserves the source IP address and port.
    SLIDE TRANSITION: Next, I will cover the security implications of using server publishing for SSL traffic.
    ADDITIONAL INFORMATION FOR PRESENTER:
  • KEY MESSAGE: Explain how Web publishing for SSL connections allows for inspection of requests by ISA Server.
    SLIDE BUILDS: None
    SLIDE SCRIPT:
    One potential issue with using server publishing is that encrypted traffic passes through ISA Server to an internal OWA Server. If this is not acceptable and if inspection of SSL requests is required, you must use Web publishing instead. This requires the configuration of listeners. If you decide to go this route, keep in mind that the ISA Server computer requires additional power to perform SSL processing. You may even consider using hardware encryption cards.
    When using Web publishing, the SSL connection terminates at the ISA Server computer. To allow for this you have to configure configure a certificate for each IP address of the ISA Server computer on which you accept incoming requests.
    You can also configure SSL bridging, which means that after the SSL session from the external client is terminated as ISA Server, a new SSL session is established from ISA Server to the OWA Server, encrypting traffic as it travels across your internal network. In this configuration you need certificates for the ISA Server computer and the OWA server.
    SLIDE TRANSITION:
    ADDITIONAL INFORMATION FOR PRESENTER:
  • KEY MESSAGE: Review SMTP server publishing rule
    SLIDE BUILDS: None
    SLIDE SCRIPT:
    Finally, we created an SMTP server publishing rule. The mapped protocol that we used for this rule is SMTP Server. This rule gives us the typical ISA Server reverse proxy behavior. In addition, when we publish an SMTP server, we can also take advantage of the SMTP filter that provides protection by allowing you to specify whether ISA Server should forward, delete or hold messages with attachments that you specify. The SMTP filter can also reject e-mail based on senders and domains, it can perform SMTP command validation and limit allowed SMTP commands. Finally, this filter can filter e-mail based on keywords. Keep in mind that performing these functions requires additional configuration steps that are beyond the scope of this presentation.
    SLIDE TRANSITION: Now that we configured ISA Server and reviewed the configuration, let’s test this configuration.
    ADDITIONAL INFORMATION FOR PRESENTER:
  •    >  >  >  How ISA Server Can Be Configured to Help Prevent the Nimda WormTopics on this Page
    By Zachary Gutt
    Technical Product Manager
    Microsoft Corporation
    Microsoft® Internet Security and Acceleration (ISA) Server 2000 can be used help prevent the spread of the Nimda Worm. However, the first course of action should be to protect the Internet Information Services (IIS) servers in the environment. It is strongly recommended that the IIS Lockdown and URLScan tools (see "Patching and Protecting Your Systems") be downloaded and installed. This document discusses how the Nimda Worm spreads, where links to more details about patching your servers, what ISA Server can do to help prevent Nimda, and where to go for more information.
    Disclaimer
    There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. How the NimdaWorm Spreads
    The W32.Nimda.A@MM (Nimda) worm uses four methods to infect computers. Following are short descriptions of each of the infection vectors. Please refer to Microsoft TechNet for more complete information.
    I. Email
    Nimda can spread via email, taking advantages in system vulnerabilities, often infecting the mail recipient immediately. The worm payload may be delivered as an email attachment.
    II. Infecting remote Web Servers
    If Nimda finds a remote Web server that (a) is infected with the Code Red II worm, or (b) is susceptible to a known security vulnerability (for which a patch has long been available), it can get the remote Web server to download an infected ADMIN.DLL via TFTP (Trivial File Transfer Protocol) on port 69.
    III. Infecting web pages on affected Web Servers
    On an infected Web server all HTM, HTML, and ASP pages can be compromised. A snippet of Javascript code is added to these pages that executes a payload file (README.EML) that Nimda installs on the server.
    When a remote Internet Explorer (IE) browser opens a compromised HTM, HTML, or ASP file, an un-patched browser will automatically execute the Javascript, downloading and executing the payload file, thus infecting the browsing computer.
    IV. File sharing
    Nimda attempts to find computers on the network with shared folders and replace their RICHED20.DLL (used by Wordpad, Notepad, Microsoft Word) with an infected version. Nimda may also replace or prepend itself to all EXE, EML, and DOC files on remote shares that it can access. When a user opens a compromised file in one of the aforementioned programs, the infected RICHED20.DLL is executed, infecting the computer.
    Patching andProtecting Your Systems
    The above is only a short description of how the Nimda worm spreads and infects. As mentioned above, the first course of action should be to protect your Internet Information Services (IIS) servers. It is strongly recommended that the IIS Lockdown and URLScan tools be downloaded and installed.
    For complete details on the Nimda worm, visit Microsoft TechNet and Microsoft Security:
    http://www.microsoft.com/technet/security/topics/nimda.asp
    http://www.microsoft.com/technet/security/topics/NimdaIE6.asp
    http://www.microsoft.com/security
    For IIS Lockdown & URLScan:
    http://www.microsoft.com/technet/security/tools/locktool.asp
    http://www.microsoft.com/technet/security/tools/urlscan.asp
    What ISAServer Can Do To Help Stop Nimda
    While ISA Server cannot stop the Nimda Worm completely, the following steps can be taken in order to help prevent Nimda from further infiltrating your network.
    Action #1Use ISA to protect against theCode Red worm. This will prevent further backdoors from being installed on yoursystems.ISA ServerSolutionFollow the guidelines explainedin the Microsoft TechNet article, "."DefendsAgainstNimda infection via a Code RedII backdoor (II above).
    Action #2Use the ISA Server MessageScreener to drop all emails with README.EXE as an attachment, or to drop emailattachments with the MIME type audio/x-wav.ISA ServerSolutionIf you have the SMTP filterrunning, create a new #1 rule that deletes all messages with the attachment name"README.EXE" (Application Filters, SMTP Filter properties, Attachmentstab).DefendsAgainstNimda infection via email (Iabove).
    Action #3Prevent all TFTP (Trivial FTP,port 69) traffic. This will prevent clean IIS systems from downloading filesfrom servers infected with the Nimda.ISA ServerSolutionBy default, TFTP traffic is notallowed by ISA Server. If you have opened this port for any reason, it isrecommended that it be closed by creating a Protocol Rule that always deniesTFTP for any request.DefendsAgainstNimda infecting remote Webservers (II above).
    Action #4Block all NetBios traffic fromcrossing ISA (ports 137, 138, 139).ISA ServerSolutionBy default, NetBios traffic isnot allowed by ISA Server. If you have opened these ports for any reason, it isrecommended that they be closed them by creating a Protocol Rule that alwaysdenies traffic on all NetBios ports (NetBios Datagram, NetBios Name Service,NetBios Session) for any request.DefendsAgainstNoteThis is apreventative measure only! Because ISA Server is a firewall placed on the edgeof a network, it can do nothing to prevent the spread of Nimda via file sharingon the internal network (IV above).
    Summary
    The first course of action taken against the Nimda worm should be protecting and patching all IIS servers. In addition, ISA Server can also help prevent the Nimda worm. Taking the above steps can help mitigate current circumstances, and could help to prevent machines on internal networks from further infection.
    For MoreInformation
    The following lists locations you may visit for more information about the subjects mentioned in this article.
    Nimda information on Microsoft TechNet
    http://www.microsoft.com/technet/security/topics/nimda.asp
    http://www.microsoft.com/technet/security/topics/NimdaIE6.asp
    Microsoft Security and Microsoft Security Tools
    http://www.microsoft.com/security IIS Lockdown ToolURLScanHFNetChkMicrosoft Personal SecurityAdvisor (MSPA)
       |   |  © 2002 MicrosoftCorporation. All rights reserved.      
  • Scans messages and attachments
    Priority based Scanning Queue
    Proactive Message Scanning
    Enhanced Background Scanning
    Thread pooling
    Per-MDB Scanning
    EDK Gateway content scanning
    Message body and attachment scanning
    Native MAPI/MIME content scanning
    Scanner On-Demand Reload
    Scans messages and attachments
    Priority based Scanning Queue
    Proactive Message Scanning
    Enhanced Background Scanning
    Thread pooling
    Per-MDB Scanning
    EDK Gateway content scanning
    Message body and attachment scanning
    Native MAPI/MIME content scanning
    Scanner On-Demand Reload
    On Access Scanning
    When messages are accessed via client or agent
    Proactive Scanning
    As messages arrive inbound to the server
    Background Scanning
    Ongoing scanning of messages
    Primarily used for re-scanning data when virus signatures are updated
  • Transcript of "务实技术讲座系列"

    1. 1. 务实技术讲座系列务实技术讲座系列
    2. 2. 如何部署如何部署 Exchange 2000Exchange 2000 和和 ISA 2000ISA 2000 构建应用构建应用
    3. 3. 内容安排内容安排  ADAD 和和 exchange 2000exchange 2000  网络设计网络设计  连接连接 InternetInternet  安全安全
    4. 4. Active DirectoryActive Directory 在企业中在企业中 域和域和 OUsOUs 组成层组成层 次化管理结构次化管理结构 多个域可以组成多个域可以组成  树树 -Trees-Trees  森林森林 -Forests-Forests Forest Objects DomainDomainDomainDomain DomainDomain Tree DomainDomain DomainDomain Tree DomainDomain OUOU OUOU OUOU
    5. 5. Active Directory SchemaActive Directory Schema ObjectObject Class ExamplesClass Examples ObjectObject Class ExamplesClass Examples PrintersPrinters ComputersComputers UsersUsers Attributes of UsersAttributes of Users Might Contain:Might Contain: Attributes of UsersAttributes of Users Might Contain:Might Contain: accountExpires department distinguishedName middleName accountExpires department distinguishedName middleName List of AttributesList of AttributesList of AttributesList of Attributes accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo middleName … accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo middleName … AttributeAttribute ExamplesExamples AttributeAttribute ExamplesExamples Active Directory Schema Is:  动态可用的  动态可更新的  由 DACLs 保护
    6. 6. 域域 -Domains-Domains 一个域是个安全边界一个域是个安全边界  一个域的管理员只能管理本域内的资源一个域的管理员只能管理本域内的资源 ,, 除非除非 明确被其他域授权明确被其他域授权 一个域是一个复制的单元一个域是一个复制的单元  一个域的域控制器参与复制并包含这个域的完一个域的域控制器参与复制并包含这个域的完 整的目录信息整的目录信息 Windows 2000 Domain Windows 2000 Domain User1 User2 User1 User2 复制复制复制复制
    7. 7. Global CatalogGlobal Catalog Global Catalog Server Global CatalogGlobal CatalogGlobal CatalogGlobal Catalog Subset of the Attributes of All Objects Subset of the Attributes of All Objects DomainDomain Domain DomainDomain Domain 查询查询查询查询 Group membershipGroup membership when user logs onwhen user logs on Group membershipGroup membership when user logs onwhen user logs on
    8. 8. 站点结构站点结构 Sites:  优化复制通信量  让用户能够通过一个稳定的,高速的连接登录 到一个域控制器 Site IP subnetIP subnetIP subnetIP subnet IP subnetIP subnetIP subnetIP subnet Los Angeles Seattle Chicago New York
    9. 9. 站点拓扑结构举例站点拓扑结构举例 Domain A Domain B Site 1 Site 2Site Link Domain A Domain B Site 2 Site 1 Site Link 1 2 3 4
    10. 10. Active DirectoryActive Directory 森林森林 Exchange 2000 组织 contoso.msft nwtraders.msft samerica.nwtraders.msft Exchange 2000 组织 Exchange 2000 组织 nwtraders.msft samerica.nwtraders.msftnamerica.nwtraders.msft Northwind Traders 多个森林 一个森林
    11. 11. 存放存放 Exchange 2000 DataExchange 2000 Data 数据数据 Users ComputersGroups Domain Partition Configuration Partition Exchange Configuration Sites Replication Topology Schema Partition CN=Schema, CN=Configuration, DC=nwtraders, DC=msft
    12. 12. Active DirectoryActive Directory 数据库大小数据库大小 Active Directory 425 MB Active Directory 345 MB Active Directory 110 MB Active Directory 27 MB Active Directory 13 MB Install Windows 2000Install Windows 2000Install Windows 2000Install Windows 2000 Install Exchange 20000Install Exchange 20000Install Exchange 20000Install Exchange 20000 Add 10,000 Mail-Enabled UsersAdd 10,000 Mail-Enabled UsersAdd 10,000 Mail-Enabled UsersAdd 10,000 Mail-Enabled Users Add 50,000 Non Mail-Enabled UsersAdd 50,000 Non Mail-Enabled UsersAdd 50,000 Non Mail-Enabled UsersAdd 50,000 Non Mail-Enabled Users Mail-Enable 50,000 UsersMail-Enable 50,000 UsersMail-Enable 50,000 UsersMail-Enable 50,000 Users
    13. 13. User Principle NamesUser Principle Names Tree nwtraders.msft namerica.nwtraders.msft samerica.nwtraders.msft UPN=Joeb@nwtraders.msft SMTP=Joeb@nwtraders.msft UPN=Jamesw@nwtraders.msft SMTP=Jamesw@nwtraders.msft UPN=Miyokoy@nwtraders.msft SMTP=Miyokoy@nwtraders.msft
    14. 14. Exchange 2000 Global Catalog Domain Controller Global Catalog Windows 2000 Site 2 Domain Controller Windows 2000 Site 1 Global Catalog 访问 Exchange 2000Exchange 2000 访问访问 Active DirectoryActive Directory Windows 2000 Site 1 AAAA BBBB Exchange 2000 Global Catalog Windows 2000 Site 2 CCCC DDDD Global Catalog DS Access Domain Controller 访问 DNSDNS
    15. 15. 发现和定义发现和定义 Directory Service ServersDirectory Service Servers Cache List 1. Domain Controller 1 2. Domain Controller 2 3. Domain Controller 3 . . . 10. DNSDNSDNSDNS DS AccessDS AccessDS AccessDS Access Exchange 2000 LDAP DNS Cache List 1. Domain Controller 1 2. Domain Controller 2 3. Domain Controller 3 . . . 10. DS AccessDS AccessDS AccessDS Access Exchange 2000 LDAP Domain Controller
    16. 16. Exchange 2000Exchange 2000 和和 ADAD 站点设站点设 计计  Windows 2000Windows 2000 站点不影响站点不影响 ExchangeExchange 20002000  ExchangeExchange 信息路由基于路由组信息路由基于路由组  路由组设计决定与路由组设计决定与 Active DirectoryActive Directory 站站 点非常相似点非常相似  每个站点只能由一个活动的数据会议的每个站点只能由一个活动的数据会议的 会议管理器会议管理器
    17. 17. 服务定位服务定位  用户端需要下列服务用户端需要下列服务  DNSDNS  Domain ControllerDomain Controller  Global CatalogGlobal Catalog
    18. 18. DNSDNS 和和 Active DirectoryActive Directory  用户端使用用户端使用 DNSDNS 定位定位 Active DirectoryActive Directory servicesservices  Active Directory DNS RFCActive Directory DNS RFC 要求要求  必须支持必须支持 SRVSRV 记录记录 , RFC 2052, RFC 2052  应该支持应该支持 DHCPDHCP 动态更新动态更新 , RFC 2136, RFC 2136  应该支持应该支持 Incremental Zone Transfer, RFC 1995Incremental Zone Transfer, RFC 1995  Exchange serversExchange servers 使用使用 DNSDNS 定位其他定位其他 Exchange serversExchange servers  ExchangeExchange 用户使用用户使用 DNSDNS 定位定位 Exchange serversExchange servers  考虑考虑 DNSDNS 与与 ADAD 集成集成
    19. 19. Domain ControllerDomain Controller 放置放置  Windows 2000Windows 2000 用户访问基于用户访问基于 Active DirectoryActive Directory 站点站点  每个站点放置多个域控制器提供冗余每个站点放置多个域控制器提供冗余
    20. 20. Global Catalog ServerGlobal Catalog Server 放置放置  ExchangeExchange 用户端使用用户端使用 GCGC 定位定位 Exchange Directory ServicesExchange Directory Services  Exchange 5.0Exchange 5.0 用户端用户端 , Outlook 97/98, Outlook 97/98 由由 Exchange serverExchange server 代理代理  Outlook 2000Outlook 2000 直接访问直接访问 ExchangeExchange directory servicesdirectory services
    21. 21. 网络设计网络设计
    22. 22. 网络状况网络状况 远程用户 本地网 分公司 InternetInternet 范围范围
    23. 23. 典型网络分布典型网络分布 成都成都 广州广州 InternetInternet 北京北京 上海上海 InternetInternet 2M2M 1M1M 15001500 人人 500500 人人 500500 人人 5050 人人
    24. 24. 部署部署 AD-AD- 多域多域 成都成都 广州广州 InternetInternet 北京北京 上海上海 InternetInternet OUOU 北京北京 上海上海 域 广州广州 OUOU 成都 ABC.NETABC.NET CD.ABC.NETCD.ABC.NET
    25. 25. 服务器放置服务器放置 成都成都 广州广州 InternetInternet 北京北京 上海上海 InternetInternet 2M2M 1M1M BJDCGC01BJDCGC01 BJDC02BJDC02 SHDCGC01SHDCGC01 GZDCGC01GZDCGC01 CDDCGC01CDDCGC01 512K512K
    26. 26. 服务器配置服务器配置  域控制器域控制器  P3 500, 1GP3 500, 1G 内存内存  磁盘磁盘 11 个个 18G –18G – 系统系统  邮件服务器邮件服务器  磁盘磁盘 11 个个 18G –18G – 系统,系统, 33 个个 80G –80G – 邮件数邮件数 据库据库  如果可能可采用如果可能可采用 AAAA 集群—北京集群—北京
    27. 27. 网络连接网络连接  AD Site link –AD Site link – 站点连接站点连接  BJ ----- SHBJ ----- SH  BJ ----- GZBJ ----- GZ  SH ----- GZSH ----- GZ  BJ ----- CDBJ ----- CD  Exchange 2000Exchange 2000 路由组路由组  与与 AD Site LinkAD Site Link 匹配匹配  管理组管理组  与路由组匹配与路由组匹配  InternetInternet 出口出口 ------ 北京,成都北京,成都
    28. 28. 系统安装系统安装  11 、 北京安装、 北京安装 ADAD  22 、 上海广州、 上海广州 ,, 建立站点连接建立站点连接  33 、、 e2ke2k  44 、 北京成都建立、 北京成都建立 VPNVPN  55 、 成都安装、 成都安装 ADAD ,建立站点连接,建立站点连接  66 、成都安装、成都安装 e2ke2k
    29. 29. 站点连接站点连接 成都成都 广州广州 InternetInternet 北京北京 上海上海 InternetInternet BJ_SH , Cost 10BJ_SH , Cost 10 BJ_GZBJ_GZ Cost:10Cost:10 SH_GZ, Cost 15SH_GZ, Cost 15 BJ_CD,Cost 15BJ_CD,Cost 15
    30. 30. 安装安装 Exchange 2000Exchange 2000 First server in the forest Forest Setup /forestprepSetup /forestprep Windows 2000 ConfigConfigConfigConfig SchemaSchemaSchemaSchema ModifyModifyModifyModify ModifyModifyModifyModify InstallInstallInstallInstall 准备森林设置准备森林设置 /forestprep/forestprep
    31. 31. 安装安装 Exchange 2000Exchange 2000 Setup /forestprepSetup /forestprep Windows 2000 Domain Controller InstallInstallInstallInstall GroupGroup UserUser CreateCreateCreateCreate ConfigConfigConfigConfig SchemaSchemaSchemaSchema Forest GroupGroup UserUser ConfigConfigConfigConfig SchemaSchemaSchemaSchema Exchange 2000Exchange 2000 准备域设置准备域设置 /domainprep/domainprep
    32. 32. 通过通过 VPNVPN 建立请求拨号连接建立请求拨号连接 Calling Router VPN Router Internet Intranet HQ ISP ISP VPN Tunnel 成都 北京
    33. 33. 请求拨号路由请求拨号路由
    34. 34. 请求拨号路由请求拨号路由
    35. 35. 请求拨号路由请求拨号路由
    36. 36. 请求拨号路由请求拨号路由
    37. 37. 请求拨号路由请求拨号路由
    38. 38. 请求拨号路由请求拨号路由
    39. 39. 请求拨号路由请求拨号路由
    40. 40. 计划路由组计划路由组 服务器必须属于同一个 Active Directory directory service forest 服务器彼此之间必须永久连接 路由组内的所有服务器必须能够连接到 routing group master 在一个路由组的在一个路由组的 Exchange 2000Exchange 2000 必须满足下列条件必须满足下列条件在一个路由组的在一个路由组的 Exchange 2000Exchange 2000 必须满足下列条件必须满足下列条件 Cost = 10 Cost = 30 AAAA CCCC BBBBCost = 10 User C User C User C User C
    41. 41. 路由组路由组 成都成都 广州广州 InternetInternet 北京北京 上海上海 InternetInternet BJ_SH , Cost 100BJ_SH , Cost 100 BJ_GZBJ_GZ Cost:100Cost:100 SH_GZ, Cost 150SH_GZ, Cost 150 BJ_CD,Cost 150BJ_CD,Cost 150
    42. 42. 创建和配置存储组创建和配置存储组 ESEESE TransactionLogTransactionLog Store Reserved Store Store Store Store Storage Group A Storage Group B TransactionLogTransactionLog Store Reserved Store Store Store Store ESEESE
    43. 43. 文件放置文件放置 系统分区和启动分区系统分区和启动分区 Mirror Set C: Storage Group 1 Transaction Logs Storage Group 1 Transaction Logs Mirror Set E: Storage Group 2 Transaction Logs Storage Group 2 Transaction Logs Mirror Set F: Page FilePage File D: All Database Files For Both Storage Groups All Database Files For Both Storage Groups Stripe Set with Parity G:
    44. 44. 备份恢复备份恢复  http://www.microsoft.com/Ehttp://www.microsoft.com/E xchange/techinfo/deploymexchange/techinfo/deployme nt/2000/E2Krecovery.aspnt/2000/E2Krecovery.asp
    45. 45. Connect Exchange 2000 toConnect Exchange 2000 to InternetInternet ServerServer InternetInternet
    46. 46. DNSDNS .msft nwtraders MX 10 SMTP1.nwtraders.msft MX 20 SMTP2.nwtraders.msft MX 30 SMTP3.nwtraders.msft DNSDNS .msft nwtraders MX 10 SMTP1.nwtraders.msft MX 20 SMTP2.nwtraders.msft MX 30 SMTP3.nwtraders.msft DNSDNS .msft nwtraders MX 10 SMTP1.nwtraders.msft MX 20 SMTP2.nwtraders.msft MX 30 SMTP3.nwtraders.msft Locating MX Records in DNS DNSDNS 和和 SMTPSMTP Internet Sending SMTP Server DNSDNS A SMTP1.nwtraders.msft 192.168.2.200 nwtraders MX 10 SMTP1.nwtraders.msft MX 20 SMTP2.nwtraders.msft MX 30 SMTP3.nwtraders.msft .msft
    47. 47. ISAISA InternetInternet 部署防火墙部署防火墙 -- 小型网络或分公司的配置小型网络或分公司的配置 企 部网业內 络企 部网业內 络  访问策略规则访问策略规则 -- IPIP 封包封包 ,, 应应 用程式用程式 ,, 使用者使用者 ,, 群组等的存取规则群组等的存取规则  带宽规则带宽规则 -- 不同不同 Internet requestInternet request 所分配不同带宽的规则所分配不同带宽的规则  发布规则发布规则 -- 将将 InternetInternet 服务服务 (( 如如 web,ftp,mail)web,ftp,mail) 透过防火墙透过防火墙 的保护公布給外界大众的保护公布給外界大众  入侵检测入侵检测 -- 防火墙入侵监测与警示防火墙入侵监测与警示  监视和日志监视和日志 –– 进出流量分析与报表进出流量分析与报表  WebWeb 缓存缓存 -- 所有放火墙的安全策存内容略会被自动应用到缓存内容之上所有放火墙的安全策存内容略会被自动应用到缓存内容之上
    48. 48. 蜂巢式安全防护体系蜂巢式安全防护体系 内部防火墙内部防火墙 中央监控服务器中央监控服务器 InternetInternet 中央管理服务器中央管理服务器 对外防火墙对外防火墙 内部防火墙内部防火墙
    49. 49. 配置内部邮件路由到配置内部邮件路由到 internetinternet  制定北京的一台服务器作为制定北京的一台服务器作为 SMTPSMTP 桥头桥头 堡连接到防火墙的内部堡连接到防火墙的内部 IPIP 地址地址  上海、广州和北京的另一台服务器设定上海、广州和北京的另一台服务器设定 Smart HostSmart Host ,指到,指到 SMTPSMTP 桥头堡服务器桥头堡服务器  成都成都 exchangeexchange 可以直接指到本地防火可以直接指到本地防火 墙墙
    50. 50. Secure SMTP ServerSecure SMTP Server  Secure relaySecure relay settingssettings  Best Practice:Best Practice: Default settings!Default settings!
    51. 51. ISA ServerISA Server 配置配置 HTTPS (SSL)HTTPS (SSL)  映射的协议映射的协议 : “HTTPS server”: “HTTPS server”  ISA Server listens on 443/tcpISA Server listens on 443/tcp  接受入站通信接受入站通信  重新产生新的包转发给重新产生新的包转发给 OWA serverOWA server  保留原地址和端口保留原地址和端口
    52. 52. ISA ServerISA Server 配置配置 HTTPS (SSL) — SecurityHTTPS (SSL) — Security  如果要求监测如果要求监测 ??  使用使用 WebWeb 发布发布  ISA ServerISA Server 需要更高的能力需要更高的能力 -- 考虑使用硬件加密卡考虑使用硬件加密卡  SSLSSL 终止点终止点  SSL stops at ISA ServerSSL stops at ISA Server  Certificate per ISA Server IP addressCertificate per ISA Server IP address  SSLSSL 桥桥  SSL from Client to ISA Server; new SSL from ISASSL from Client to ISA Server; new SSL from ISA Server to OWA serverServer to OWA server  需要证书从需要证书从 ISAISA 到到 OWA serversOWA servers
    53. 53. ISA ServerISA Server 配置配置 SMTPSMTP  映射的协议映射的协议 : “SMTP Server”: “SMTP Server”  典型典型 ISA ServerISA Server 反向代理方式反向代理方式  SMTP filterSMTP filter 提供保护提供保护  附件部署附件部署  拒绝的发送者和域拒绝的发送者和域  SMTPSMTP 命令确认和限制命令确认和限制  关键词过滤关键词过滤
    54. 54. 保证保证 Exchange ServerExchange Server 安安 全全 Exchange Server ProtocolProtocol SourceSource DestinatioDestinatio nn PortPort AnyAny InternalInternal NetworkNetwork Mail ServerMail Server AnyAny ProtocolProtocol SourceSource DestinationDestination PortPort SMTPSMTP AnyAny Mail ServerMail Server TCP 25TCP 25 POP3POP3 AnyAny Mail ServerMail Server TCP 110TCP 110 IMAPIMAP AnyAny Mail ServerMail Server TCP 143TCP 143 InternetInternet
    55. 55. Front end/Back EndFront end/Back End FirewallFirewall Open Ports:Open Ports: 443, 993, 995443, 993, 995 Exchange 2000Exchange 2000 Front-EndFront-End ServerServer Exchange 2000Exchange 2000 ServerServer Active DirectoryActive Directory Global Catalog ServerGlobal Catalog Server Exchange 2000Exchange 2000 ServerServer Exchange 2000Exchange 2000 ServerServerInternet HTTP, IMAPHTTP, IMAP or POP3 Clientor POP3 Client
    56. 56. 使用使用 DMZDMZ FirewallFirewall OpenOpen Ports:Ports: 443, 993,443, 993, 995995 ExchangeExchange 20002000 Front-EndFront-End ServersServers Exchange 2000Exchange 2000 ServerServer Active DirectoryActive Directory Global Catalog ServerGlobal Catalog Server Exchange 2000Exchange 2000 ServerServer Exchange 2000Exchange 2000 ServerServerInternet FirewallFirewall OpenOpen Ports: 80Ports: 80 143, 110,143, 110, LDAP, etcLDAP, etc DMZDMZ HTTP, IMAPHTTP, IMAP or POP3 Clientor POP3 Client
    57. 57. 保证服务器之间安全保证服务器之间安全 -- 验证验证  服务器和服务器自动使用服务器和服务器自动使用 X-EXPSX-EXPS 验验 证证  Kerberos/NTLMKerberos/NTLM  缺省缺省 SMTPSMTP 协议扩充与协议扩充与 Exchange 2000Exchange 2000 一起安装一起安装  允许服务器通过其他服务器中继允许服务器通过其他服务器中继 (( 需要需要 验证验证 ))  SMTP AUTH (RFC 2554)SMTP AUTH (RFC 2554)  主要是连接外部系统 –配置主要是连接外部系统 –配置 SMTPSMTP connectorconnector
    58. 58. 保证服务器之间安全保证服务器之间安全 -- 加密加密  IPSecIPSec  定义不同的定义不同的 IPSec filtersIPSec filters  最简单的配置最简单的配置  使用组策略可以使所有的使用组策略可以使所有的 ExchangeExchange serversservers 要求通过要求通过 2525 端口的入站信息加端口的入站信息加 密密  http://www.microsoft.com/windows2000/techinfo/plannihttp://www.microsoft.com/windows2000/techinfo/planni ng/security/ipsecsteps.aspng/security/ipsecsteps.asp  TLS (TLS – RFC 2487)TLS (TLS – RFC 2487)  要求在每台服务器上安装要求在每台服务器上安装 X.509v3X.509v3 服务服务 器密键器密键 ,,
    59. 59. 配置配置 ISAISA 防毒防毒  防止防止 Nimda WormNimda Worm http://www.microsoft.com/technet/treeviewhttp://www.microsoft.com/technet/treeview /default.asp?/default.asp? url=/technet/prodtechnol/isa/deploy/isanurl=/technet/prodtechnol/isa/deploy/isan imda.aspimda.asp  防止防止 Code Red Worm."Code Red Worm."
    60. 60. Information StoreInformation Store 方案方案  存储事件存储事件  在存储内当一个条目打开,保存,移动或删除时会触发在存储内当一个条目打开,保存,移动或删除时会触发  事件类型事件类型  同步 – 当事件发生时同步 – 当事件发生时  异步 – 在事件发生之后异步 – 在事件发生之后  病毒扫描病毒扫描 APIAPI  扫描邮件和附件扫描邮件和附件  安优先级扫描队列安优先级扫描队列  主动邮件扫描主动邮件扫描  增强背景扫描增强背景扫描  线程池线程池  每个每个 MDBMDB 扫描扫描  EDKEDK 网关内容扫描网关内容扫描  本机本机 MAPI/MIMEMAPI/MIME 内容扫描内容扫描  扫描器按需重新启动扫描器按需重新启动
    61. 61. 传输方案传输方案  整理公开中继整理公开中继 Fix open relaysFix open relays  SMTP Relay ParametersSMTP Relay Parameters  邮件过滤邮件过滤 -Filter Mail-Filter Mail  拒绝连接拒绝连接 -Disallow connections-Disallow connections  阻止内部垃圾邮件阻止内部垃圾邮件 -Stop internal spam-Stop internal spam
    62. 62. 桌面防毒桌面防毒  Windows andWindows and 浏览器浏览器  下载最新的补丁下载最新的补丁  定制浏览器的安全区域选项定制浏览器的安全区域选项  OutlookOutlook 安全安全  Outlook 98 / 2000 SP1Outlook 98 / 2000 SP1  Upgrade available now from http://www.officeupdate.comUpgrade available now from http://www.officeupdate.com  Outlook 2002Outlook 2002  Built into base productBuilt into base product  安装最新防病毒工具安装最新防病毒工具
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×