Exchange Preparation Edge Transport Server

Hi Everyone,

I am in the midst of an Exchange 2010 upgrade, we are going to be running Exchange in a VMware vSphere 4 environment. Our organization has about 60 employee's and we want to use OWA, as well as Outlook Anywhere.

We like to know our information is secure, which is why I want to use Edge Transport Server. However, we only really have one firewall appliance it is a Cisco ASA 5510. What I would like to know is the literature recommends a perimeter network for the Edge Server and it then talks to the Hub Transport server through another firewall initiating a secure LDAP connection.

Do I need two firewall appliances to do this? Or can I just port forward SMTP traffic to the Edge Transport server if I use a different port on the ASA plugged directly into the Edge Server?  And have all other traffic go in and out of another port on an internal network?

For example, if I have Eth 0/0 on a 10 network, internally can I have all internet traffic but SMTP (25) forwarded internally. Then on Eth 0/1 have a 172 network for just SMTP port 25 traffic to be sent to in turn Eth 0/1 would be plugged directly into the Edge Server.

Then the plan because we are smaller would be to have the CAS, HUB on one server and the MBOX Data on another. Please correct me if I am wrong or something doesn't sound right as this is my first Exchange implementation on this scale.
DMayoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Glen KnightCommented:
I personally wouldn't bother with the Edge Transport Server.  This is designed to be placed in a DMZ

setup you Hub & CAS server and forward port 25 and 443 to it from your firewall that should be more than sufficient.
0
AkhaterCommented:
The purpose of the Edge it to act as an SMTP gateway and filter emails for virus/spam etc... so if when you say "We like to know our information is secure" you talk about encryption the edge won't add anything for you here


OWA and RPC/HTTP works on HTTPS so the information will be encrypted nothing to worry about here.


If you still want to use Edge as mail filter and you don't have the possibility to do a DMZ edge can still be inside your network no issues here either
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DMayoAuthor Commented:
Yes when I say secure, I understand there is no encryption added, however I like the double layer of spam/virus protection if I then install ForeFront.

I will take it into consideration not to use it at all if people don't really both with it, however just for my knowledge when you say "DMZ" when I think of a DMZ I think of something that is not firewall protected and right accessible on the internet. Is that what you are suggesting to not even put it behind a firewall? Or are you just assuming DMZ is my perimeter network that is less secure than my internal network.

I do plan to use this as a Smart Host if I am going to do it, however, I am just curious do you mean something like this?
exhcnage.jpg
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

AkhaterCommented:
My idea was to put it on the internal side of your firewall in your LAN rather than outside.

putting it outside is a bad idea
0
Glen KnightCommented:
DMZ is your perimeter network.

I have to be hones for 60 users and the coat of an aditional exchange license I still wouldn't be using an edge transport server.

Invest in a product like Vamsoft http://www.vamsoft.com and install it on your HT server.
0
AkhaterCommented:
alternatively you can enable anti-span agent on your HUB transport server
0
Glen KnightCommented:
That's another option :)
0
AkhaterCommented:
0
DMayoAuthor Commented:
I agree, we cannot really afford another Exchange Server License. I appreciate both your help.
0
DMayoAuthor Commented:
Thank you for your quick response.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.