MGB 2003 講師:謝長明 公司:長成資訊/技術總監 http://www.cms.com.tw 『使用Microsoft® Exchange Server 2003 建置高安全性、高效率的企業郵件訊息平台』 --以台灣標竿製造業為例 ~拒絕垃圾郵件,就從郵差做起~ ~大型企業郵件系統之規劃與實例分享~ 講師:謝長明 公司:長成資訊/技術總監 http://www.cms.com.tw © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
講座大綱 Exchange 2003的效益分析 Exchange 2003部署的藍圖 Exchange 2003部署的規劃 結論
講座大綱 Exchange 2003的效益分析 Exchange 2003部署的藍圖 Exchange 2003部署的規劃 結論
以『RPC over HTTP』增強安全性 ROH Exchange 2003 /Back-End TCP:593,6001-6002,6004 ISA Server ROH Exchange 2003 /Back-End Exchange 2003 /Front-End& RPC 代理伺服器 TCP:443 TCP:593,6004 Server Ports (Services) Exchange back-end servers 593 (end point mapper) 6001 (Store) 6002 (DS referral) 6004 (DS proxy) Domain controllers 593 and 6004 Global catalog server GC/DC
OWA 2003的數位簽章與加密
OWA 2003支援表單型的驗證
OWA 2003信件之附件檔管制 OWA 2003可管制信件中的所有附件檔 均允許下載 均不允許下載 只允許直接連接Back-End時,才可下載
OWA 2003的垃圾郵件過濾
Exchange UTD Notifications Perimeter Network (DMZ) MGB 2003 Exchange 2003支援各類行動裝置 Exchange UTD Notifications Outlook Clients (RPC/HTTP) Ex2003 Back-End Servers Perimeter Network (DMZ) Ex2003 Front-End OWA Clients (HTTP / HTML) Wireless Network ISA Firewall Firewall Pocket PC, Smartphone, 3rd Party Sync (HTTP / HTML) Server Windows 2003 or 2000 AD/GC Server Outlook Mobile Access xHTML, cHTML, HTML © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
拒絕垃圾信 Anti-SPAM
何謂SPAM? 不請自來的電子郵件 不請自來的商業郵件 大量的廣告色情郵件 新聞群組的重複張貼 標題與內容均相同 MGB 2003 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
SPAM對企業所造成的影響 影響公司網路的頻寬與效能 降低使用電子郵件的滿意度 降低大家對電腦之可信賴度 帶來惱人的電腦病毒和駭客 MGB 2003 SPAM對企業所造成的影響 影響公司網路的頻寬與效能 降低使用電子郵件的滿意度 降低大家對電腦之可信賴度 帶來惱人的電腦病毒和駭客 PROBLEM ~50% of all email now, up from 8% in 2001 Growing substantially month to month Cost to business $10B/yr in US (2002) Massive attention from the public, industry groups, & legislators Upshot Huge and growing cost to business & consumers Internal pain highest at Hotmail Major threat to trustworthy computing At Risk: Trusted use of email by consumers & businesses At Risk: The future of email for e-commerce Messenger SPAM Control Stop at the Source: Scripts hunt down SPAM offenders so that Operations can turn off spam abusing accounts Has reduced SPAM support calls dramatically Get users to use existing Privacy settings to control SPAM: UI in MSN Messenger and Windows Messenger guides users to learn about and set Privacy Settings Hotmail SPAM Control FY03 Timeframe: Deployed Brightmail server-side in Oct ’02 Brightmail optimizations throughout the year Image blocking of unknown senders implemented “Report As Spam” program (125k users opted in) MSN9 Timeframe: Add’l MSR Server-side Filters Deployed “Report As Spam” button in HM & MSN UI’s To empower MSN users with the ability to report spam To decrease Spam by distributing user complaints to spam-fighting systems Manual filter updates Mail Icons? Others? Post MSN9 Timeframe: Automated filter updates HM Direct Challenge/Response System MS Block List to prevent namespace mining & stop spam abuse through open proxies Others? © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
SPAM的基本運作方式 1.Spammer取得你的Email地址: 使用 Web Spider或 Troller / Crawler 購買郵件名單(mailing list) 進行字典攻擊取得名單 Embedded Web-Beacons 2.Spammer 寄出全球百萬封垃圾信 使用『open proxies』 或暑『open relays』 使用錯誤的主旨和身份識別 同時從多個位址寄出垃圾信 DO IT AGAIN – Some Work Only 15 Hrs Month 4.部份垃圾郵件傳送至使用者的信箱中 SPAMMER低成本,賺大錢 3.大部份的ISP和企業嘗試拒絕垃圾信 利用過濾SPAM軟體 安全清單和拒絕名單 Challenge和 Response 成功地減少 80%以上的SPAM
智慧型垃圾郵件過濾器的作業模式 1 2 3 4 成千上萬個Hotmail 用戶自願和微軟公司對SPAM作鬥爭 正常的信件 1 成千上萬個Hotmail 用戶自願和微軟公司對SPAM作鬥爭 2 Feedback Loop Servers 這些用戶提供服務中心數百萬封垃圾信做處理 3 011001 微軟的智慧垃圾信過濾器 這些信件教導智慧過濾器如何去過濾這些信件 依據世界主要的信箱提供業者的垃圾信樣本 超過 100K以上的垃圾信特性作為判斷是否為垃圾信 4 在信件到達個人收件匣之前,智慧型郵件過濾器針對每一封信的『垃圾信可能性』評等(1~9等級)
連線篩選
收件者篩選
寄件者篩選
智慧型郵件篩選
Outlook 2003垃圾郵件的篩選
智慧郵件篩選比率分析(一) A企業 總數:10,019封垃圾信 期間:60天
智慧郵件篩選比率分析(二) A企業
智慧郵件篩選比率分析(三) B企業 總數:9,543封垃圾信 期間:55天
智慧郵件篩選比率分析(四) B企業
示範 『智慧型郵件過濾器』的運作實況 MGB 2003 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
其他的效益說明 群組接收信件的安全之管制 管理簡單的查詢式通訊群組 提供信箱復原中心便捷功能 SMTP 用戶提出與轉寄限制 支援八個節點穩定叢集技術 完整而明確的郵件佇列管理 有效而精確的郵件追蹤中心 支援MOM 2000的專家管理 還有更多的增強功能...
講座大綱 Exchange 2003的效益分析 Exchange 2003部署的藍圖 Exchange 2003部署的規劃 結論
Exchange 2003部署的藍圖(一)
Exchange 2003部署的藍圖(二)
講座大綱 Exchange 2003的效益分析 Exchange 2003部署的藍圖 Exchange 2003部署的規劃 結論
Exchange Server VS.作業平台 MGB 2003 Exchange Server VS.作業平台 Exchange can be installed and run on Supported Active Directory Environments Exchange Version Windows 2000 Windows Server 2003 Windows 2000 Exchange 5.5 SP3 Yes No Exchange 2000 SP2 Exchange 2000 SP3 Exchange 2003 Yes (W2K SP3) © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
AD結構規劃(一)
AD結構規劃(二)
AD結構規劃(三)
AD結構規劃(四) Inter-Org tools Free/Busy &Public Folders MIIS 2003
GC與DC之規劃考量(一) Domain Naming Master(網域命名操作主機) 最好與GC Server 在同一台電腦 Infrastructure Master(基礎結構主機) 儘量不與GC Server 在同台電腦 儘量與GC 伺服器在同一個站台 每個 Domain 至少應有兩台DC 負載平衡 容錯系統 Exchange Server數量:GC數量=4:1
GC與DC之規劃考量(二) 實體網路拓樸 使用ADSIZER工具 若考量Exchange Server每個Site至少應有兩台GC MGB 2003 GC與DC之規劃考量(二) 實體網路拓樸 若考量Exchange Server每個Site至少應有兩台GC 參考Building Enterprise Active Directory™ Services: Notes from the Field一書 使用ADSIZER工具 http://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN-US/setup.exe © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
講座大綱 Exchange 2003的效益分析 Exchange 2003升級的藍圖 Exchange 2003升級的規劃 結論
案例分析 永生公司,在美國(45人)、大陸蘇州(300人)、台北(20人)、新竹(2500)、台中(1500)共五個廠,目前在每一個點都有自己的NT4 Domain和Exchange 5.5 Site,各網域之間均互相信任,公司決定要將所有的Exchange Server 5.5升級至Exchange Server 2003,台中廠要能夠使用OMA、Exchange ActiveSync、AUTD、及RPC over HTTP、ANTI-SPAM。
永生公司升級前的網路拓樸
Site和Exchange topology 結構
Exchange 2003系統部署SOP 準備Active Directory 安裝Exchange 2003 遷移使用者信箱 遷移公用資料夾 遷移訊息連接器 Active Directory帳戶清理精靈
準備Active Directory ForestPrep DomainPrep OrgPrepCheck Active Directory 連結器(ADC)
Active Directory 連接器服務 ADC運作的結構 Exchange 5.5 Active Directory 連線協定 Active Directory 連接器服務 Exchange Directory Provider Mapping Engine Active Directory Provider Replication Engine Windows 2000/2003
MGB 2003 使用ADC工具,完成升級作業 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
部署Exchange 2003前的檢查 SetupPrep工具群組 OrgNameCheck OrgCheck PubFoldCheck MGB 2003 部署Exchange 2003前的檢查 SetupPrep工具群組 OrgNameCheck 組織和站台名稱檢查 所有名稱最多可包含64個字元,前後沒有空格 LDAP顯示名稱不能包含 , = + < > # \ ” 顯示名稱不能包含 ~ ! @ # $ % ^ & * ( ) _ + = { } | \ ”’ < , > . ? / OrgCheck 第二次執行 (在OrgPrepCheck曾執行過一次) PubFoldCheck DS/IS 一致性檢查與調整 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
第一台Exchange 2003的安裝 執行方式 安裝完成後 Setup (依部署精靈程序處理) MGB 2003 第一台Exchange 2003的安裝 執行方式 Setup (依部署精靈程序處理) 安裝完成後 以Exchange 5.5的site-addressing之SMTP為預設的『收件者原則(Recipient Policy)』 成為預設的『收件者更新服務(RUS)』伺服器 成為『路由群組主要伺服器(Routing Group Master)』 負責Exchange 2003 的『離線通訊清單』的產生 為Exchange 2003 使用者提供離線通訊錄 Talking point: Routing master is set on first PT server in each RG RUS is 1 per domain. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Site Replication Service MGB 2003 Site Replication Service 讓Exchange 2003和Exchange 5.5的目錄得以保持同步 相當於Exchange 5.5的DS的角色 Site 1 Site 2 Exchange 2003 Exchange 5.5 Exchange 5.5 DRC SRS Exchange 5.5 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
遷移使用者信箱 應確保DS information已經複製到AD 可使用 MGB 2003 遷移使用者信箱 應確保DS information已經複製到AD 可使用 Active Directory使用者及電腦 Microsoft Exchange系統管理員 必須在相同的Admin Group/Exchange 5.5 site 已損壞的信件不移動 支援 multi-threaded 可以自訂行程 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
移動信箱的精靈 MGB 2003 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
遷移公用資料夾 PF 1. Public Folder CA PF Directory Entries 5.5 2. Hierarchy MGB 2003 遷移公用資料夾 PF 1. Public Folder CA PF Directory Entries 5.5 2. Hierarchy 3. Content E2K3 Active Directory © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
遷移訊息連結器 Exchange 5.5 升級後站台之間的訊息連結器之對應關係 繼續支援 不再支援 IMC SMTP virtual Server + SMTP connector Site Connector Routing Group Connector X.400 ConnectorX.400 Connector 繼續支援 Microsoft Exchange Connector for Lotus Notes Microsoft Exchange Calendar Connector 不再支援 MSMail Lotus CC:Mail Novell Groupwise X.400 connector /TP4 與 DRAS Exchange 5.5
Active Directory帳戶清理精靈 MGB 2003 Active Directory帳戶清理精靈 適用時機 當NT4網域還未升級至Windows 2003前即與某一新AD以ADC建立關係,後來才升級為該AD的成員時 形成原因 在建立收件者連線協定(Recipient Connection Agreement)後已將NT4的帳號,以disable的形式存在於AD,故俟NT4網域升級為該AD的成員時,將產生帳戶的重複,故應合併為一個帳戶 合併方法 使用Exchange 2003所提供的Active Directory帳戶清理精靈 從開始所有程式Microsoft Exchange部署執行『Active Directory帳戶清理精靈』 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
結論 Anti-SPAM提升系統效率與減少使用者困擾 Exchange 2003的行動通訊是企業M化基礎
MGB 2003 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.