Exchange 2010 Mailbox Resiliency question
Hi,
We are planning to migrate from Ex 2003 Ent to Exchange 2010 Standard SP1
I am currently getting quotes for licenses and CALs.
We have an Exchange 2003 active-passive cluster for HA.
I have noticed that Exchange 2010 brings something new named Mailbox Resiliency which include a set of features for HA.
I am trying to figure out the number of Exchange 2010 Standard licenses that we need in order to keep the same type of HA solution that we have with Exchange 2003 (active-passive cluster).
I am assuming that with Mailbox Resiliency no matter which path you choose you are going to have a minimun of 2 servers (2 Ex 2010 lic) in order to implmenet HA.
Could someone let me know if that is correct?
Thank you
We are planning to migrate from Ex 2003 Ent to Exchange 2010 Standard SP1
I am currently getting quotes for licenses and CALs.
We have an Exchange 2003 active-passive cluster for HA.
I have noticed that Exchange 2010 brings something new named Mailbox Resiliency which include a set of features for HA.
I am trying to figure out the number of Exchange 2010 Standard licenses that we need in order to keep the same type of HA solution that we have with Exchange 2003 (active-passive cluster).
I am assuming that with Mailbox Resiliency no matter which path you choose you are going to have a minimun of 2 servers (2 Ex 2010 lic) in order to implmenet HA.
Could someone let me know if that is correct?
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also the CAS server will be on the DMZ so I am not sure if we want to install CAS in the same box we are having the other roles.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We have the OWA 2003 servers with NLB sitting on the DMZ. But we don't have a reverse proxy solution. We are just NATing the OWA servers from a public IP to an IP on the DMZ.
public IP - NAted to - 172.30.1.X
I could see that if we go with 2 CAS servers with NLB we could use public IP's and use NAT and place them in the DMZ 172.30.1.X (front end) then connect them to the other servers that will be sitting in our Internal network.
Could the same setup be also implemented with the CAS servers if we decided to go with a HLB and 2 Exchange servers?
public IP - NAted to - 172.30.1.X
I could see that if we go with 2 CAS servers with NLB we could use public IP's and use NAT and place them in the DMZ 172.30.1.X (front end) then connect them to the other servers that will be sitting in our Internal network.
Could the same setup be also implemented with the CAS servers if we decided to go with a HLB and 2 Exchange servers?
ASKER
Doing some reading I have found that placing CAS servers in the DMZ is not supported. Exchange 2003 was the last version to support putting Front-End/CAS in a DMZ. There cannot be any firewalls between CAS & Mailbox servers.
Unfortunately the buget is not going to be flexibe enough to get a 2 TMG/ISA servers + HDLB + Exchange CALs + Exchange Mailboxes CALs + Office 2010 Cals, etc...
Are there any other alternatives?
Unfortunately the buget is not going to be flexibe enough to get a 2 TMG/ISA servers + HDLB + Exchange CALs + Exchange Mailboxes CALs + Office 2010 Cals, etc...
Are there any other alternatives?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Option A
Internal
2 MBX
2 CAS/HB --> Microsoft NLB configured
DMZ
2 ISA/TMG
OR
Option B
Internal
2 CAS/HB/MBX
1 Hardware Load Balancer
DMZ
2 ISA/TMG
In either option:
I will save that 2 ISA server and directly NAT them to the internal
Note: I prefer not to introduce any other piece of software also Hardware LB solution is suggested in the MS site.
Questions:
A-What are the risks and issues that I can have if I have to go with NATing internally without a Reverse Proxy?
B-Regarless of the Reverse Proxy whcih do you think seems more reliable, why?
C- We do not own a RP solution - Besides Exchange can you think of any other ways that we could use this in the company?
Thank you!
okay
ISA/TMG will give you a few benefit.
1. your exchange server is not exposed directly to internet.
2. other SSL acceleration , encryption, bridging, offloading and etc
Refer more to
http://technet.microsoft.com/en-us/library/bb266987%28EXCHG.80%29.aspx
so your question
A: risk is your host is exposed to internet directly, issues doesnt comes in until your host is compromised. But don't think exchange itself is not secure. It is just EXTRA layer of protection
Imagine, you not only protect your OWA/activesync, you also need to protect your hub server as it also directly expose to internet.
B: having exchange to run directly as itself give you less dependency on another piece of software.
I have client that run without Reverse Proxy on CAS and they run fine. but some form of protection on SMTP is provided, you can outsource this "Edge Server" part to others like mailguard.com.au
C. you can utilise ISA in alot of part
like secure smtp filtering
web page publishing.
internal client/web proxy from workstation
more reading refer to
http://technet.microsoft.com/en-us/library/cc526343.aspx
http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/features.aspx
introducing ISA is like introducing another layer of protection as it is a software/application layer firewall
ISA/TMG will give you a few benefit.
1. your exchange server is not exposed directly to internet.
2. other SSL acceleration , encryption, bridging, offloading and etc
Refer more to
http://technet.microsoft.com/en-us/library/bb266987%28EXCHG.80%29.aspx
so your question
A: risk is your host is exposed to internet directly, issues doesnt comes in until your host is compromised. But don't think exchange itself is not secure. It is just EXTRA layer of protection
Imagine, you not only protect your OWA/activesync, you also need to protect your hub server as it also directly expose to internet.
B: having exchange to run directly as itself give you less dependency on another piece of software.
I have client that run without Reverse Proxy on CAS and they run fine. but some form of protection on SMTP is provided, you can outsource this "Edge Server" part to others like mailguard.com.au
C. you can utilise ISA in alot of part
like secure smtp filtering
web page publishing.
internal client/web proxy from workstation
more reading refer to
http://technet.microsoft.com/en-us/library/cc526343.aspx
http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/features.aspx
introducing ISA is like introducing another layer of protection as it is a software/application layer firewall
ASKER
Thanks. We have about 400 mailboxes and we outsourced our mail AV with Postini Services from the options I gave in post ID:34273610 which option do you think is a better approach? What are your clients generally doing in order to deploy a cost/effective solution?
I don't know if someone here is familiar with Postini but I wonder if using Postini will change anything on the scenarios that were provided before? I would appreciatte if someone can provide some input about this as well?
I don't know if someone here is familiar with Postini but I wonder if using Postini will change anything on the scenarios that were provided before? I would appreciatte if someone can provide some input about this as well?
i am not a postini experts so i cannot comment on that.
But by reading it, it at least protect your email from internet,
so having website having the internet, you actually reduce a lot of potential intruder knowing your smtp server.
but again, you need to check with postini whether you can do it or not, but by my reading, it says it can.
In this case, you probably can choose not to use ISA.
But by reading it, it at least protect your email from internet,
so having website having the internet, you actually reduce a lot of potential intruder knowing your smtp server.
but again, you need to check with postini whether you can do it or not, but by my reading, it says it can.
In this case, you probably can choose not to use ISA.
Hi Luis.
Thankyou for messaging me to come and have a look at this question. I will review it this evening (about 6 hours away) and post back here.
Thanks
Andy
Thankyou for messaging me to come and have a look at this question. I will review it this evening (about 6 hours away) and post back here.
Thanks
Andy
Luis,
I see the question has been answeres correctly and to your satisfaction. I agree with the accepted answer
Andrew
I see the question has been answeres correctly and to your satisfaction. I agree with the accepted answer
Andrew
ASKER
Can we install the Exchange 2010 roles (mailbox, etc.) within 2 servers and implement HA Mailbox Resiliency? So 2 lic of Exch 2010 for this.
Then install CAS for OWA on 2 more severs an use NLB? If we do that we will need to buy 2 more Exch 2010 licenses?
Basically I would like to find a way to mimic what we have in Exchange 2003 in the new installation of Exchange 2010?
Any suggestions?