Friday, May 18, 2007

Edge Transport Server TCP Port 50636 (ADAM) FROM DMZ to the LDAP servers.




Edge transport server is one of the new server roles in Exchange 2007. Older version of Exchange servers used to have roles build in them as well.

We used to have all server roles below, as an exchange server. All exchange binaries needed to be installed on any one of these servers. We had to do extra work most of the times. Building BH server involved in, deleting the PF database from all bridge head server. Also renaming all the mail stores as

"Do not create mail boxes" so that help desk support would not drop the newly created user in this mail store, on the bridge head server.

FE (front End Server) OWA

Port 80 Port 443 Port 25

BE (mail Box Server)

Port 25

BH (bridge Head server)

Port 25

PF (Public Folder server)

Port 25

In exchange 2007, finally the better way of granular control on each server with different server roles. One of the most interesting roles, Exchange brought it the Edge Transport role Edge designed for sitting in DMZ. Who will place Microsoft server in DMZ? Isn't this going to be shooting ourselves on the head? How long will it take to get compromised?

Let me give you some bullet point to make all these questions GO AWAY.

Exchange team wrote new SMTP stack. Exchange server has no need for IIS SMTP stack anymore. New SMTP protocol is provided by the "Microsoft Exchange Transport service" MsExchangeTranport.exe.

Here what Exchange team says?

"By rewriting the transport stack in managed code and running as the Network Service account, we have reduced the risks that are associated with denial of service attacks. This new SMTP transport stack is a required part of Exchange. It eliminates the dependency on IIS and reduces the work that is required to help secure a server for perimeter network deployment."

The Edge Sink service running on the HUB Transport servers established one WAY communication- Replication to the edge transport server back into the DMZ. The idea is simple, the first principle of a Firewall, few things allowed to come in, most things are allowed to go out. Hub transfer server is coming from inside the trusted network and reaching out the edge transport server in DMZ, and this is ONE WAY sink process.

What type of information is carried out by EdgeSync service?

  • Routing information
  • Mail Enabled object information, and
  • no Security principles

This process will create ADAM database on the Edge server, Local Database. And EdgeSync is responsible making sure this information is going to be current at all times.

Below are the ports Exchange server will use.

Port Number

Protocol

50389

TCP

50636

TCP

25

TCP/UDP

TechNet

Questions and Answers

  • What port Edge transport server in DMZ uses to talk to inside , corporate network to the Hub Transport server

    -------->TCP 50636

  • What is the name of the process and how it works?

    -------->The service called EdgeSync service, which is ONE WAY communication from Hub to the Edge server.

  • What is the local database in Edge server and what is in this database generally?

    -------->ADAM database, (local Database) routing information and mail enables objects information is in the ADAM. No security principle

  • Who is the best heavy weight samurai real fighter in the world?

    -------->This is the easiest one, and the answer will be "Fedor Emeloanenko" the BEST OF THE BEST

    Best regards

    Oz ozugurlu



1 comment:

niels@broertjes.org said...

Definitely is Fedor Emelianenko!! Still, whatever happened :-)...