Public network release of Exchange Server

Requirement: publish the intranet Exchange server to the Internet through TMG, so that users on the Internet can access the intranet Exchange server.

Tutorial topology:

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_14152782292rGr.png "/>

There are four ways to publish an Exchange server to the public network:

POP3, SMTP plaintext release

POP3, SMTP ciphertext released

OWA bridging mode released

Release of OWA tunnel mode

Either of the four methods is to use the certificate. Before publishing, you must apply for an Exchange server certificate. Otherwise, a certificate error will be reported.

How to obtain a certificate

1. Purchase a certificate from a certificate provider on the public network (all clients trust the certificate without installing a trusted certificate)

   Www.verisign.comwww.ssl.comwww.wosign.com

2. Install the certificate service on the internal server and issue it to the user through the CA. (No money, but the client does not trust it by default)

Exchange server certificate application

In the exchange server configuration, select create an exchange certificate to apply for an Exchange certificate.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_14152782294D5S.png "/>

Enter a friendly name.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278230dRZD.png "/>

Wildcard certificates are used to configure the host name. If the second-level domain name is correct, you can write the host name at will. Wildcard certificates do not need to be created. It is very expensive to create one.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278230i5jZ.png "/>

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278231o4N3.png "/>

Set mail.benet.com as a public name

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278232QX5f.png "/>

Set the certificate storage location

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278233t1cg.png "/>

Complete certificate application

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278234o4IX.png "/>

The downloaded file is encrypted using a special encryption algorithm.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_14152782353GCy.png "/>

Log on to the CA server to apply for a certificate

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278236yOcN.png "/>

Select advanced certificate application

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278236mr36.png "/>

Select a base64-encoded certificate

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278237lstG.png "/>

Copy the content of the new exchange certificate. Select web Server as the certificate template.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_14152782388KDX.png "/>

Select the encoding used to download the certificate.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278238bCd8.png "/>

In server configuration, right-click the certificate you just created and select the put on hold request to keep the applied certificate to the exchange server.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278239rsZl.png "/>

Select the location of the applied exchange certificate

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_14152782398pIk.png "/>

Select to allocate services to certificates

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_14152782405zRY.png "/>

Select a server. Because there is only one server, click next.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278241MfEV.png "/>

Select the assigned service

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278243L0vd.png "/>

Complete certificate application

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278244tQUn.png "/>

In addition to the configured certificate, other built-in certificates can be deleted.

Then the certificate service of Exchange is configured, and the client can access Exchange in any way.

By default, pop3 is manually enabled if ssl authentication is not enabled. After ssl authentication is enabled, the service needs to be restarted.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278245lO2V.png "/>

Set SMTP to support anonymous user access

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_141527824545xB.png "/>

In this case, the client can perform encrypted access, but if you do not trust the root CA, the certificate error will still be reported. Therefore, the client needs to install the CA to the trusted root authority.

Plaintext publishing exchange ServerPOP3 (110), SMTP (25)

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278246iXXC.png "/>

To publish POP3 and SMTP, select the first

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278246YT8c.png "/>

Select publish plain text protocols POP3 (110) and SMTP (25)

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278246F6dx.png "/>

Set the IP address of the Exchange Server

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278246Px6l.png "/>

Specifies the external address of the listener.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278246QcaW.png "/>

When the policy is applied, the unencrypted Exchange server is published and the client can access the exchange server.

Test and release the client's telnet installation function

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278247yiXr.png "/>

Make sure that the client can parse the internet address of TMG (mail.benet.com)

Port 25 telnet successful

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278247FxFE.png "/>

If Port 110 fails, set the POP3 port to plain text and restart the POP3 service.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278247ROee.png "/>

Check SMTP anonymous users

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278247dqp5.png "/>

Then telnet port 110 is enabled.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278247cefE.png "/>

Outlook client test

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278247QyWw.png "/>

Set account information and server address

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278248ppHu.png "/>

Test successful

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278249100c.png "/>

Set encrypted publishing for the exchange Server

First, set POP3 of the Exchange server to the encryption mode and restart the service after the setting is complete.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278249bgKd.png "/>

Create an email server publishing rule

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278249MkzO.png "/>

Select the published ports as POP3 and SMTP Security ports.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278249A5Dx.png "/>

Set the address of the exchange Server

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278249jZQd.png "/>

Set external addresses for listener addresses

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278250axdp.png "/>

Set, application policy

The POP encryption Port defined by the TMG server is 995.

However, the SMTP encrypted port defined by the TMG server is 465, but the SMTP encrypted port of the Exchange server is 587.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278251IKM9.png "/>

Port 995 of POP3 is enabled when the client tests the Exchange server.

However, the client test server's port 465 (the TMG and Exchange ports are different) and port 587 (the TMG is not enabled) are both disconnected.

In this case, you need to set the TMG firewall policy to change the port of the TMG listening SMTP to port 587.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278251DrUW.png "/>

The client is connected to port 465.

Outlook sets the server port number

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278252fQ9i.png "/>

If you do not want to or will not change the port, you can set the receiving port to 25 on the TMG server, from Port 25 to port 587.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_14152782524AZD.png "/>

Test passed

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278252Uvjz.png "/>

Subsequent content: http://wangjunkang.blog.51cto.com/8809812/1573844

This article from the "plum blossom from bitter cold" blog, please be sure to keep this http://wangjunkang.blog.51cto.com/8809812/1573842

Public network release of Exchange Server