Shaktur
asked on
Exchange Cluster, Front-End Back-End, SMPT Gateway
Exchange Cluster, Front-End Back-End, SMPT Gateway
I am rebuilding our Exchange structure. We are going from a mix of 2000 and 2003 Exchange servers in a distributed environment to a single location in a CyberCenter. We currently have 9 Exchange servers (single servers) in different locations. We have 3 SMTP Gateways running Trend Interscan Messaging & Security Suite (IMSS). The IMSS servers don't do any spam filtering. They are for outbound disclaimers and some content filtering, like blocking Internal Use Only emails. Our MX records point to MX Logic. They spam filter and then deliver directly to our IMSS servers. We have Trend ScanMail on exchange servers for virus. We have about 1000 users.
Current Setup
-------------
9 Exchange Servers (2000 and 2003)
ScanMail
3 SMTP Gateways (IMSS)
MX Logic Spam filtering for inbound mail, deliver directly to our IMSS servers
New Setup
---------
Exchange 2003 Cluster Back-end (2 active, 1 passive)
Exchange 2003 Front-End (2 servers, OWA and RPC/HTTP)
Antigen on the Cluster for virus
GFI MailEssentials for disclaimers and content filtering (not sure on this one)
I really don’t like the IMSS SMTP Gateway. I want to eliminate them if feasible. I also don’t like ScanMail. I would prefer Antigen. I’m not sure that we need SMTP Gateways at all. We don’t allow email from the Internet to hit our servers directly. It is all coming from MX Logic. I think we may be better off delivering directly to and from the Exchange Cluster. The mail tracking with IMSS is terrible. I would rather do it with Exchange, unless there’s something better out there. My current thought is Antigen on the Cluster for virus and GFI MailEssentials on the Cluster for disclaimers and outbound content filtering.
Any thoughts or suggestions?
Charlie
I am rebuilding our Exchange structure. We are going from a mix of 2000 and 2003 Exchange servers in a distributed environment to a single location in a CyberCenter. We currently have 9 Exchange servers (single servers) in different locations. We have 3 SMTP Gateways running Trend Interscan Messaging & Security Suite (IMSS). The IMSS servers don't do any spam filtering. They are for outbound disclaimers and some content filtering, like blocking Internal Use Only emails. Our MX records point to MX Logic. They spam filter and then deliver directly to our IMSS servers. We have Trend ScanMail on exchange servers for virus. We have about 1000 users.
Current Setup
-------------
9 Exchange Servers (2000 and 2003)
ScanMail
3 SMTP Gateways (IMSS)
MX Logic Spam filtering for inbound mail, deliver directly to our IMSS servers
New Setup
---------
Exchange 2003 Cluster Back-end (2 active, 1 passive)
Exchange 2003 Front-End (2 servers, OWA and RPC/HTTP)
Antigen on the Cluster for virus
GFI MailEssentials for disclaimers and content filtering (not sure on this one)
I really don’t like the IMSS SMTP Gateway. I want to eliminate them if feasible. I also don’t like ScanMail. I would prefer Antigen. I’m not sure that we need SMTP Gateways at all. We don’t allow email from the Internet to hit our servers directly. It is all coming from MX Logic. I think we may be better off delivering directly to and from the Exchange Cluster. The mail tracking with IMSS is terrible. I would rather do it with Exchange, unless there’s something better out there. My current thought is Antigen on the Cluster for virus and GFI MailEssentials on the Cluster for disclaimers and outbound content filtering.
Any thoughts or suggestions?
Charlie
ASKER
Thanks for the reply Bob. I was not aware of that (outbound email on the nodes IP). That could cause potential reverse DNS problems.
As for a full FE/BE architechture, would the FE servers actually send outbound email in this case?
Charlie
As for a full FE/BE architechture, would the FE servers actually send outbound email in this case?
Charlie
If you configure it, yes.
In many cases I have had an edge system on the outside, be it an Exchange 2007 Edge server, IIS server, Ironport, Sendmail server, etc. As such, I create an SMTP connector that will send all e-mail to the edge system(s), using (a) specific IP(s), and only allow the FE server to use the connector. If you don't have an edge connector, then you just leave the connector set to use DNS to deliver the mail.
Front-end server considerations in Exchange Server 2003
http://support.microsoft.com/kb/822443/
In many cases I have had an edge system on the outside, be it an Exchange 2007 Edge server, IIS server, Ironport, Sendmail server, etc. As such, I create an SMTP connector that will send all e-mail to the edge system(s), using (a) specific IP(s), and only allow the FE server to use the connector. If you don't have an edge connector, then you just leave the connector set to use DNS to deliver the mail.
Front-end server considerations in Exchange Server 2003
http://support.microsoft.com/kb/822443/
ASKER
Sorry for the delay in responding, December was a busy month. =/
In a full FE/BE setup, does the BE relay mail to the FE and then the FE send it on out to the Internet? I'm still not sure if we need a separate gateway(s) since it is really just for outbound mail. All inbound mail coming directly from MXLogic.
Any more thoughts on this?
In a full FE/BE setup, does the BE relay mail to the FE and then the FE send it on out to the Internet? I'm still not sure if we need a separate gateway(s) since it is really just for outbound mail. All inbound mail coming directly from MXLogic.
Any more thoughts on this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, cool, good info.
So far my plan remains pretty much the same. FE/BE config. 3 node (active/active/passive) cluster for backend. 2 NLB frontend servers.
The remaining question is whether or not to use a gateway. I imagine you could use another Exchange server for a gateway, separate from the FE servers. How much "tracking info" would you lose if the gateway was not an Exchange server. What would you recommend as a good gateway product. We are currently using Trend IMSS and I really don't like it.
So far my plan remains pretty much the same. FE/BE config. 3 node (active/active/passive) cluster for backend. 2 NLB frontend servers.
The remaining question is whether or not to use a gateway. I imagine you could use another Exchange server for a gateway, separate from the FE servers. How much "tracking info" would you lose if the gateway was not an Exchange server. What would you recommend as a good gateway product. We are currently using Trend IMSS and I really don't like it.
ASKER
Also, I should restate, this is for about 1000 users, possibly 2000 by years end. I know the 3 node cluster is overkill, but it needs to be a highly avaliable resource.
I have worked with A/A/P clusters and they work just fine. I would not go anywhere above 4 nodes A/A/A/P, if at all possible.
The best gateway product, outside of an Exchange 2007 Edge server, and an application which meets your out of the box reporting requirements, is likely going to be overkill. MX Logic performs your front-end hosting and anti-spam services as well as mailbagging if your FE is down. That is one of the primary reasons to have a Front-End. The other primary reason for a FE is to allow OWA access.
In all honesty, you could put something like Forefront (formerly Sybari Antigen) on your server, and use a 3rd party reporting tool for outbound mail statistics. You are only scanning outbound messages and it is likely that you have anti-virus on your Exchange cluster nodes.
My current engagement requires me to remain vendor neutral, but I can mention several products that handle front-end services as a software/hardware package, and can meet your reporting requirements.
Ironport (recently purchased by Cisco)
I have worked with Ironport extensively with several small enterprise customers (1000 users) and some very large enterprise customers (20,000+ users). I haven't ever had a complaint, personally or from a previous customer who implemented their product as an SMTP gateway, anti-spam and anti-virus.
Barracuda (Symantec)
I haven't worked with the hardware device.
The best gateway product, outside of an Exchange 2007 Edge server, and an application which meets your out of the box reporting requirements, is likely going to be overkill. MX Logic performs your front-end hosting and anti-spam services as well as mailbagging if your FE is down. That is one of the primary reasons to have a Front-End. The other primary reason for a FE is to allow OWA access.
In all honesty, you could put something like Forefront (formerly Sybari Antigen) on your server, and use a 3rd party reporting tool for outbound mail statistics. You are only scanning outbound messages and it is likely that you have anti-virus on your Exchange cluster nodes.
My current engagement requires me to remain vendor neutral, but I can mention several products that handle front-end services as a software/hardware package, and can meet your reporting requirements.
Ironport (recently purchased by Cisco)
I have worked with Ironport extensively with several small enterprise customers (1000 users) and some very large enterprise customers (20,000+ users). I haven't ever had a complaint, personally or from a previous customer who implemented their product as an SMTP gateway, anti-spam and anti-virus.
Barracuda (Symantec)
I haven't worked with the hardware device.
Cluster nodes recieve mail on the Virtual IP for the Exchange cluster resource group.
Cluster nodes send mail on the physical IP of the active node.
Keep this in mind if you don't utilize a full FE/BE architecture.
Bob