Exchange 2010 Organizational Models

The consolidated datacenter model is the simplest model considered in this topic. It consists of a single physical site.

The advantages of the consolidated datacenter model are as follows:

• There are fewer DNS records to manage than with multiple namespace models.
  
  
• There are fewer certificates to manage. Communications between the Exchange Client Access server and clients can be encrypted in several ways. The recommended method for encryption is to use a single certificate that supports Subject Alternative Names.
  
  

  Примечание.
  A Subject Alternative Name is an attribute of a digital certificate that allows the site administrator to configure a single certificate that lists all the namespaces that require a server certificate.

  Примечание.
  Alternative methods for managing certificates for a consolidated datacenter model include a wildcard certificate, multiple certificates, and configuring SRV records appropriately.

• End users don't have to determine which namespace to use. All end users use the same namespace and URL to access Microsoft Exchange.
  
  

Disadvantages to the consolidated datacenter model include:

• This model doesn't support multiple datacenters.
  
  
• If regional Internet links are slow because of low bandwidth, high latency, or high use, end users in those regions will experience poor performance.
  
  

This model consists of multiple physical sites that use a single namespace. Behind an ISA Server computer or another firewall, one of the sites has one or more Internet-facing Client Access servers. The other sites don't contain Internet-facing Client Access servers.

Важно!
Installing a Client Access server in a perimeter network isn't supported.

Внимание!
This model isn't recommended if all sites have Internet connectivity. If your topology uses multiple Служба каталогов Active Directory sites that have Internet connectivity and aren't near to each other, consider a regional namespace model.

This model offers the following advantages:

• There are fewer DNS records to manage than with multiple namespace topologies. This reduces operational complexity.
  
  
• There are fewer certificates to manage. Communications between the Client Access server and clients can be encrypted by using a single certificate that supports Subject Alternative Names.
  
  
• End users don't have to determine which namespace to use. All end users use the same namespace and URL to access Microsoft Exchange.
  
  

Disadvantages to deploying a single namespace with proxy sites include:

• Most users will access their Mailbox server through proxying. If a user connects to a Client Access server that isn't in the same physical site as their Mailbox server, they will be proxied to a Client Access server that's in the same physical site as their Mailbox server. Because of the added proxying, WAN link costs will increase and performance won't be optimal. The effect on performance depends on the distance between the two physical datacenters and the numbers of proxied connections.
  
  
• Clients that use the POP3 or IMAP4 protocols won't be able to access their mailbox if the Client Access server they connect to isn't in the same site as their Mailbox server. POP3 and IMAP4 connections can't be proxied between sites.
  
  

  Важно!
  It's necessary to configure the target virtual directories on each Client Access server in the site being proxied to for Integrated Windows authentication.

This model consists of multiple physical sites that use a single namespace. There are two deployment options for this model. You can use an ISA Server computer in front of one or more sites or use a Client Access server proxy site. There can be one or more Internet-accessible servers behind each site. This model also requires a load balancing solution that splits the incoming traffic equally between the Internet-facing sites.

Важно!
Installing a Client Access server in a perimeter network isn't supported.

Deployment with an ISA Server computer

In this configuration, ISA Server performs pre-authentication of the connection to determine the client's group membership. Traffic is then forwarded to the correct site based on the configured publishing rules.

The advantages of this model are as follows:

• There are fewer DNS records to manage than with multiple namespace models. This reduces operational complexity.
  
  
• There are fewer certificates to manage. Communications between the Client Access server and clients can be encrypted by using a single certificate that supports Subject Alternative Names. The ISA Server computer could be configured to use an external, trusted certificate from a recognized provider. The traffic between the ISA Server computer and the Client Access servers could be secured using an internally generated certificate.
  
  
• End users don't have to determine which namespace to use. All users use the same namespace and URL to access Microsoft Exchange.
  
  
• Mailboxes can be moved between sites without external namespace changes. This provides flexibility for administrators who want to load balance traffic between sites without changing client configuration.
  
  
• If required, a regional namespace can be added at a later stage. This same model can be repeated in another location using a different external URL.
  
  
• ISA Server 2006 forms-based authentication can be customized to suit an organization's specific requirements.
  
  

The disadvantages to deploying this model include the following:

• Wide Area Network (WAN) use will likely increase. The increased use depends on the physical location of the ISA Server computer.
  
  
• ISA Server must be deployed and configured correctly.
  
  
• Group memberships must be managed to ensure traffic is forwarded to the correct site. By default, Recipient Administrators can't create security groups, so Служба каталогов Active Directory delegation must be configured so that dedicated Exchange Administrators can create and update group membership. Using groups creates an additional operational overhead that must be considered when new mailboxes are created or moved. Placing a global catalog server close to the ISA Server computer is the recommended way to avoid unnecessary authentication request travel on the WAN.
  
  

  Важно!
  We don't recommend deploying a topology that has a single namespace and multiple Служба каталогов Active Directory sites. If your topology uses multiple Служба каталогов Active Directory sites, consider using a regional namespace model.

  Примечание.
  To deploy a single namespace with multiple sites, you must clear the ExternalURL values for the virtual directories on the Internet-facing Client Access servers if you want to disable redirection and enforce proxying.

Deployment with a Client Access Server Proxy Site

In this model, all client connections that originate externally go to Служба каталогов Active Directory Site C. The connections are then proxied by the Client Access server in Site C to the site that contains the user's mailbox.

The advantages of this model are as follows:

• There are fewer DNS records to manage than with multiple namespace models. This reduces operational complexity.
  
  
• There are fewer certificates to manage. Communications between the Client Access server and clients can be encrypted by using a single certificate that supports Subject Alternative Names. ISA Server can be configured to use an external, trusted certificate from a recognized provider. And traffic between the ISA Server and Client Access servers can be secured using a certificate that's internally generated.
  
  
• End users don't have to determine which namespace to use. All end users use the same namespace and URLs to access Microsoft Exchange. If split DNS is configured, this model could also be used to unify an internal namespace. If split DNS isn't configured, all internal client requests will reach the firewall and be forwarded appropriately.
  
  
• Mailboxes can be moved between sites without the namespace being changed from an external user's perspective. This provides flexibility for administrators who want to load balance between sites. It is also useful when a disaster occurs and the entire service must be moved between sites, because the client configuration doesn't have to be changed.
  
  
• A regional namespace can be added at a later stage, if required. This same model can be repeated in another location, using a different external URL.
  
  

The disadvantages of this model are as follows:

• WAN use will likely increase and depends on the physical location of the Client Access servers in the Internet-facing site.
  
  
• Additional Client Access servers must be deployed and configured correctly.
  
  
• All users will access their mailbox through proxying. When a user connects to a Client Access server in Site C, it isn't in the same Служба каталогов Active Directory site as their Mailbox server. They will be proxied to a Client Access server that's in the same Служба каталогов Active Directory site as their Mailbox server. Performance won't be optimal because of the additional proxying. The effect on performance depends on the distance between the two physical sites.
  
  
• Access to Windows SharePoint Services libraries and Windows file shares isn't possible when users connect to a Client Access server that isn't within the same site as their Mailbox server. This is because access to Windows SharePoint Services libraries and Windows file shares requires the user's user name and password. In a proxying scenario, communication to Windows SharePoint Services libraries and Windows file shares is performed through the Exchange system account. This account isn't aware of the user's user name and password.
  
  
• Clients that use the POP3 or IMAP4 protocols won't be able to access their mailbox if the Client Access server they connect to isn't in the same site as their Mailbox server. POP3 and IMAP4 access can't be proxied between sites.
  
  

  Важно!
  The ExternalURL property on each virtual directory in a site that contains user mailboxes must be set to $null.

  Важно!
  Client Access servers don't support multiple levels of proxying. Each site that contains user mailboxes must be accessed by the Client Access servers in the dedicated proxy site.

  Примечание.
  Additional network configuration might be required if multiple locations are used. This can include configuring hardware load balancers, multiple DNS records, and route redundancy. The physical deployment will vary based on your organization's network topology.

The multiple site model that uses a different namespace for each site is known as a regional namespace model. The advantages of this model are as follows:

• Proxying is reduced because a larger percentage of users will be able to connect to a Client Access server in the same Служба каталогов Active Directory site as their Mailbox server. This will improve the end-user experience and performance. Users who have mailboxes in a site that doesn't have an Internet-facing Client Access server will still be proxied.
  
  

The disadvantages to this model are as follows:

• Multiple DNS records must be managed.
  
  
• Multiple certificates must be obtained, configured, and managed.
  
  
• Managing security is more complex because each Internet-facing site requires an ISA Server computer or other firewall.
  
  
• Each user must connect to their own regional namespace. This may result in additional helpdesk calls and training.
  
  

  Важно!
  The regional namespace model is recommended for any topology that involves multiple Служба каталогов Active Directory sites that have their own Internet connectivity.

This model consists of multiple forests with multiple namespaces. An organization that uses this model could be made up of two partner companies, Contoso and ContosoOnline. Namespaces might include mail.usa.contoso.com, mail.europe.contoso.com, mail.asia.contosoonline.com, and mail.europe.contosoonline.com.

Consider implementing a regional namespace model for each forest to provide the highest level of performance for end users. Multiple certificates must be managed for each forest.