I often receive questions like this one (from a few collected emails):
I don't have a fixed IP address, but would like to run my own Exchange server, is that possible?
I would like to set up an Exchange test environment at home, how do you do that?
I have a very small customer who wants to use Exchange, what do I need?
Since these questions land in my mailbox relatively often, I would like to take this opportunity to give you a little insight into my own small Exchange organization. Here was this view behind the scenes schon einmal, allerdings war des „damals“ noch Exchange Server 2010. Hier also die aktuelle Umgebung, die sich auch für die eigene Testumgebung, Mini Exchange Organisation oder einfach nur zum Spielen eignet.
Update: While I was writing this article, it occurred to me that I could also document the complete setup for the replica here. So a few posts with one of my test domains will follow. Where the following environment is set up step by step.
The environment / test environment
My domain is still hosted by Strato, so far I have absolutely nothing bad to report, I have only had little need to contact support, but they have been consistently fast and competent. Therefore: thumbs up!
Strato's big advantage: you can create subdomains that can be updated dynamically, more on this later.
Internet access is via a VDSL line (100/50Mbit), dial-up is handled by a Fritzbox, which in turn forwards port 80 (HTTP) and port 443 (HTTPS) to the virtual firewall.
Die virtuelle Firewall (Sophos UTM) ist auf einem ESXi Server beheimatet. Der schluckt dank dem aktuellen Core-i7 und SSDs angenehm wenig Strom (~30 Watt unter Normallast). Mit 32 GB DDR4 RAM ist er auch ausreichend schnell. Für meine Exchange Organisation laufen auf dem ESXi 3 VMs: Domain Controller, Exchange Server und POP3 Connector VM.
Network
Since my ESX server only has 2 network cards, I have configured various VLANs, VLAN 9 serves as a transfer network between Fritzbox and Sophos UTM. DC and Exchange Server are located in VLAN 10, which is behind the Sophos UTM. VLAN 11 is the DMZ. In the DMZ there is a Windows server that collects the mails via POP3 from Strato from the Catchall mailbox and sends them via SMTP to the UTM (enin, not directly to the Exchange). VLAN 20 is provided for the clients. The default gateway for all LANs is the Sophos UTM. There are other VLANs, but these are not relevant from an Exchange perspective.
Mail flow (incoming)
The POP3 Connector VM retrieves the mails from the Strato Catchall mailbox via POP3 and forwards them to the Sophos UTM via SMTP. The UTM in turn forwards the mail via SMTP to the Exchange server. Of course, you could also forward the mail directly from the POP3 connector to the Exchange server, but I decided against it. The UTM has a pretty good SPAM filter in the e-mail protection, but the SPAM filter prefers to work with the SMTP protocol, although the UTM can also act as a POP proxy and thus filter out viruses, but then you have to accept a few cuts. Since I do a lot of testing and playing around, I can use SMTP profiles in this configuration to redirect individual domains to other Exchange servers, for example when I install a new test environment, and the SPAM quarantine also works in this way.
Mail flow (outgoing)
Exchange first sends the mails to the UTM, which in turn has configured the Strato SMTP server as a smart host. Exchange could also send directly to the Strato SMTP server, but this configuration leaves a lot of freedom for test scenarios etc. thanks to the SMTP profiles of the UTM.
Active Directory / DNS / Exchange
The Active Directory is called frankysweb.de, I wanted to keep it as simple as possible at this point, so I don't need to work with alternative suffixes. Since I am only dealing with a tiny environment, I have made the e-mail address the user name in the simplest possible way. This also results in the DNS split brain:
Two subdomains have been created at Strato, which are updated by the UTM with the dynamic IP of my Internet connection. On my internal DNS server, the Outlook and Autodiscover entries point to the IP address of the Exchange server.
The Exchange directories (internal and external with the exception of Autodisover) are all configured with the name outlook.frankysweb.de, so official certificates can be used and there is no certificate warning anywhere.
Publication of Exchange services
The Exchange services (Outlook Anywhere, OWA or Outlook on the Web, Autodiscover, EWS, etc.) are also published via the Sophos UTM. I use the web server protection of the UTM for this.
The Fritzbox forwards port 80 (HTTP) and port 443 (HTTPs) to the Sophos UTM. The web server protection of the UTM then performs an HTTP to HTTPs redirection if connections arrive unencrypted.
Summary
This setup is certainly suitable for test environments, gimmicks or your own small environment. Whether you want to run a single-server solution as a company is up to you. I don't have any major availability requirements. If my ESX server burns down, I find that annoying, but I can quickly restore my backup to my workstation as a Hyper-V VM until I have a new ESX server :-)
A how-to for rebuilding will follow.