Solved

Edge Server for Exchange 2010 and Sharepoint 2010

Posted on 2010-09-21
7
1,147 Views
Last Modified: 2012-06-21
Hello,
I am installing a new SharePoint Server Farm in my organization and also upgrading Exchange 2003 to 2010. I want to setup a Microsoft TMG Server as the Edge Server on a DMZ behind an existing ASA.

I plan on using the Edge to do reverse proxy roles for SharePoint and also handle Outlook Anywhere and OWA; the edge server will not be doing any spam filtering as my Barracuda will already do that.

Now my question is does this sound like a variable thing to do or should I just spend the extra money and have a second Edge Server.
Also, should the server be on the domain or not? I have read articles that say to do one or the other and I would image it would be best to not have it on the domain.

Any other thoughts are always appreciated.

Thanks,
-Mike
0
Comment
Question by:BAYCCS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 11

Expert Comment

by:Ahmed Shahba
ID: 33732560
Hi,
It's okay to do that .
and it should be Workgroup .
<:>Regards,
<::>Ahmed <:>
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 33734432
Ok great I thought so but just wanted to double check.

One last thing, where to the SSL certs get installed? I would think the Edge but I just want to double check...

Thanks,
-Mike
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 33734513
No it shouldn't be a workgroup!!!
A huge amount of the secureity provided by TMG comes from the fact that it is a Domain Member,...not becuase it isn't.
Debunking the Myth that the ISA Firewall Should Not be a Domain Member
http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html
That was written in the context of ISA2006, but it applies to ISA2004 all the way up to TMG.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 5

Author Comment

by:BAYCCS
ID: 33735072
See this is why I had to ask, I have actually read that article but still am torn with everything that I have read.

0
 
LVL 11

Expert Comment

by:Ahmed Shahba
ID: 33741689
Hi,
At the edge, you can install Forefront TMG as a domain member or in workgroup mode. As a domain member, Its recommend that you install Forefront TMG in a separate forest (rather than in the internal forest of your corporate network), with a one-way trust to the corporate forest.
This may help the internal forest from being compromised, even if an attack is mounted on the forest of the Forefront TMG computer. There are some limitations with this deployment.
Please check Microsoft Article for before decied the deployment scenario :
http://technet.microsoft.com/en-us/library/cc995141.aspx 
Regards,
Ahmed.
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 33770063
How about the SSL Certs, where do they go on the Edge or the servers that the Edge is reverse proxing to?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33772818
The TMG Team has never recommended a separate forest that they have ever told me about and I have had access to them since April of 2004.  If the product can not be developed to be safe as an Edge Firewall in a Single Forest / Single Domain then it should be scrapped.  
Two forests are hardly ever recommended in any situation.   Will multiple forests ever be recommended,...yes,...but it is the exception to the rule and not common.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SharePoint Designer 2010 has tools and commands to do everything that can be done with web parts in the browser, and then some – except uploading a web part straight into a page that is edited in SPD. So, can it be done? Scenario For a recent pr…
We had a requirement to extract data from a SharePoint 2010 Customer List into a CSV file and then place the CSV file into a directory on the network so that the file could be consumed by an AS400 system. I will share in Part 1 how to Extract the Da…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question