Exchange 2010 Connectors: Part III
By Exchange MVP, Krishna Kumar
Part 3: Creating Receive connectors using the Exchange Management Shell
Up to this point, we have discussed the various types of connectors in Exchange 2010 and the best practices for creating and configuring them. In Part one, we learned how to create Send connectors using the Exchange Management Console. In Part two, we introduced Receive connectors and learned how to create Send connectors using the Exchange Management Shell. In Part three, I will walk you through the steps of creating and configuring Receive connectors via the Exchange Management Shell.
Exchange Management Shell
Similar to Send connectors, the process of creating the Receive Connectors in PowerShell is pretty easy, requiring only a single command. As before, however, you must take care to provide the correct parameters. Below is the PowerShell command to create the Receive Custom connector for receiving email on port 25. Again, it will create exactly the same connecter as the one we created using the Exchange Management console.
New-Receiveconnector -Name ‘From App’ -usage ‘Custom’ -Bindings ’192.168.1.102:25′ -fqdn ‘mail.k.com’ -remoteIPrantes ’10.10.10.1-255.255.255.0′ -Server ‘KEXCH’
Post Creation Configuration
Once you have created this connector, you can still manage and configure it by either right clicking on it and examining its properties, or by using the set-receiveconnector Powershell cmdlet. The recommended settings are the various authentication options required for incoming connections:
Basic authentication
In Basic authentication, username and password is sent in clear text (which is not recommended.) It is always advisable to select the check box ‘Office basic authentication’ only after starting TLS. Once you enable this check box, then you can establish the first TLS connection between Exchange and other entities and perform the basic authentication.
Integrated Authentication
When Integrated Authentication is checked, then you must use NTLM and/or Kerberos for authentication.
Exchange Server Authentication (Generic Security Services application programming interface (GSSAPI) and Mutual GSSAPI).
Use this setting when you want Smart host to authenticate using TLS direct trust or Kerberos through TLS.
Externally Secured
This security mechanism is external to Exchange. The connection may be an Internet Protocol security (IPsec) association or a virtual private network (VPN)
Figure14. Defining the authentication options for a Receive connector.
Once you are done with the authentication settings, now it’s time to configure permission groups. First we must take care not to enable anonymous users in order to prevent unauthorized use of this connector. Other available permission groups include Exchange users, Exchange servers, legacy Exchange servers and partners.
Exchange users – Offers Basic Authentication over TLS for connection
Exchange users and Exchange servers – Offers TLS and Exchange Server authentication
Partner Permission – offers TLS and enables Domain Security (Mutual Auth TLS) authentication. Use this authentication option when you want a receive connector to receive email from a partner company over a TLS connection. More information on configuring Mutual Auth TLS can be found on TechNet.
Figure 15. Defining the Permission Groups allowed to use this connector
As mentioned, Get-Receiveconnector also provides access to these settings in case you prefer to use the Exchange Management Shell. Some of the options which are worth paying attention to include banner, maxinboundconnections, connection timeout, and protocol logging.
MaxInboudconnections
This setting is to determine the maximum number of connections a Receive connector can process at a single time.
ConnectionTimeout
Connection Time out specifies how long connection can be established with the Exchange server before it times out.
ProtocolLogging
Determine whether auditing is enabled on the connector. If is enabled, then all the connection details and other related details will be logged. This can be very useful for troubleshooting issues.
Banner
Banner is the message displayed when a connection is initiated with the Exchange server. The default banner can give server details. If you don’t want this information to be displayed, then you may change this using Set-Receiveconnector.
Figure 16. A screenshot of some of the information available through get-receiveconnector.
If you want to modify a Receive connector, the Set-Receiverconnector cmdlet provides you with a quick method for doing this. You can find extensive documentation of this cmdlet’s parameters and switches in this TechNet article, but here’s a simple example:
Set-ReceiveConnector -Identity “Internet Receive Connector” -Banner “220 Banner Text here” -ConnectionTimeout 00:15:00
Conclusion:
I hope this tutorial was helpful as you created and configured your first Receive connector. Do not miss the next edition of the ESE in which I will conclude this article series by addressing the remaining connectors in Exchange 2010: Foreign, Linked and Routing Group connectors.