Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How to configure HUB sever on DMZ?

Posted on 2008-10-30
Medium Priority
Last Modified: 2010-04-21
I am implementing the Exchange 2007 server with CCR. I am using four servers, one for ADS (catalog server), second one common server for edge and Hub, third and four for Mailbox server on cluster (CCR). All these servers are on same local network.

I want to configure HUB server on DMZ. Should I need two NIC in HUB server one for local network and one for DMZ? If this is the case then what will be the DNS servers for DMZ NIC?

Can anyone explain how to configure all these servers on network, IPs, gateway and DNS setting of individual servers?
Question by:amrish_IT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
LVL 33

Expert Comment

ID: 22845469
"second one common server for edge and Hub"

Are you thinking of installing both on same box - technically, practically, theoretically this is not possible.
My suggestion would be to have 2 node A/P CCR Clusters + CAS & Hub Server + Edge Server (In DMZ)

Personally i believe Hub should not be placed in a DMZ.

MSFT says:

In this scenario, the Exchange 2007 Hub Transport server can be reached directly through the Internet. We don't recommend this topology because it increases security risks by exposing to the Internet the Exchange 2007 server and all roles installed on that server. We recommend that you implement a perimeter network-based SMTP gateway, such as the Edge Transport server, instead.

LVL 32

Expert Comment

ID: 22845540
Hi Amrish,
Can you explain the reason you want to place HUB in DMZ any specific reason. See you can achieve same results in LAN too....
To be able to better guide you, we would need exact scenario.
Hope this helps

Author Comment

ID: 22847967

I have only four server right now, one for AD, two for Mailbox cluster and one for HUB , thats why i have to put HUB server in DMZ.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 33

Expert Comment

ID: 22848051
What about CAS role - where do you plan to place that - with your calculation i could not find that role sitting on AD server for sure and if you plan to merge CAS + HUB in DMZ (This isn't supported nor recommended).

Awaiting your response.

Author Comment

ID: 22848064
HUB and CAS role will be on same server. If i install edge server separatly then how it will communicate with HUB server because edge server is in DMZ with public IP.
LVL 33

Expert Comment

ID: 22848145
If you are in shortage of servers - why not simply have hub role in your local LAN behind a firewall ??
Remember Hub (in local LAN of DMZ) will also have all those functionality (almost - all) as those of EDGE.

If you place Hub in the DMZ - you need to open port 135 (RPC)+ 389 (LDAP) + 25 (SMTP) + 53 (DNS) + 443 (SSL).

Now look at the ports used by EDGE.

    * LDAP: Port 50389/TCP
    * Secure LDAP: Port 50636/UDP
    * SMTP: Port 25/TCP
    * Optional: enable RDP: Port 3389/TCP

You basically are opening up all the ports required for Hub (if it is placed in DMZ) - so if your Hub is compromised - your AD / Exchange is compromised too. That is the reason no one recommends nor practices placing Hub in DMZ.


Author Comment

ID: 22848623
can I add edge server later on??
LVL 33

Accepted Solution

Exchange_Geek earned 1000 total points
ID: 22848707
Any time. there is no time restraint for adding an Edge nor any hard code rule that if you have Hub first Edge will behave like a spoilt brat.

Do not worry if you want you can add EDGE server as and when you can arrange for another hardware for it.

Author Comment

ID: 22848826
Information provided by you is very helpful. thank you very much.

Author Closing Comment

ID: 31511801
thank you so much for your help
LVL 33

Expert Comment

ID: 22849174
Glad to have been able to answer your queries.

God Bless.

Take Care

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question