Solved

Exchange 2010 Mailbox Resiliency question

Posted on 2010-11-26
15
885 Views
Last Modified: 2012-05-10
Hi,

We are planning to migrate from Ex 2003 Ent to Exchange 2010 Standard SP1

I am currently getting quotes for licenses and CALs.

We have an Exchange 2003 active-passive cluster for HA.

I have noticed that Exchange 2010 brings something new named Mailbox Resiliency which include a set of features for HA.

I am trying to figure out the number of Exchange 2010 Standard licenses that we need in order to keep the same type of HA solution that we have with Exchange 2003 (active-passive cluster).

I am assuming that with Mailbox Resiliency no matter which path you choose you are going to have a minimun of 2 servers (2 Ex 2010 lic) in order to implmenet HA.

Could someone let me know if that is correct?

Thank you
0
Comment
Question by:llarava
  • 6
  • 3
  • 2
  • +2
15 Comments
 
LVL 14

Accepted Solution

by:
BigBadWolf_000 earned 167 total points
ID: 34218777
Yes you will require one license per exchange server and for HA you will need two
Do a basic Exchange install on each server (Mailbox, CAS, and Hub). Setup a CAS Array and assign it to the mailbox

New-ClientAccessArray –Name “CAS Array” –Fqdn “exchange.domain.com” –Site “Default-First-Site-Name”
Set-MailboxDatabase DatabaseName -RpcClientAccessServer “exchange.domain.com”

Setup a DNS record pointing exchange.domain.com to your hardware load balancer. Then setup your DAG, create mailbox copies, and you're all done.

White paper and onfo on MR below....
http://www.microsoft.com/exchange/2010/en/us/mailbox-resiliency.aspx

http://technet.microsoft.com/en-us/library/dd638137.aspx

Calcutator
http://msexchangeteam.com/archive/2009/11/09/453117.aspx
0
 

Author Comment

by:llarava
ID: 34218854
We have about 500 mailboxes in 2 Exchange 2003 (A-P cluster) and then to OWA servers with NLB.

Can we install the Exchange 2010 roles (mailbox, etc.) within 2 servers and implement HA Mailbox Resiliency? So 2 lic of Exch 2010 for this.

Then install CAS for OWA on 2 more severs an use NLB? If we do that we will need to buy 2 more Exch 2010 licenses?

Basically I would like to find a way to mimic what we have in Exchange 2003 in the new installation of Exchange 2010?    

Any suggestions?
0
 

Author Comment

by:llarava
ID: 34218883
Also the CAS server will be on the DMZ so I am not sure if we want to install CAS in the same box we are having the other roles.
0
 
LVL 10

Assisted Solution

by:dhruvarajp
dhruvarajp earned 167 total points
ID: 34219349
2 servers give you  mailbox Mailbox Resiliency,  however when you install all three roles in a dag member
you can not use NLB to load balence cas/ht component on the same server( failover cluster and nlb can not be userd together ) to load balence ca/ht  you might want to a hardeare load balencer

in other words
if you have a "pair of exchange servers will have all three roles installed and dag configured" behind a load balencer you will get high availability for all three components

 
0
 

Author Comment

by:llarava
ID: 34219502
We have the OWA 2003 servers with NLB sitting on the DMZ. But we don't have a reverse proxy solution. We are just NATing the OWA servers from a public IP to an IP on the DMZ.

public IP - NAted to - 172.30.1.X  

I could see that if we go with 2 CAS servers with NLB we could use public IP's and use NAT and place them in the DMZ 172.30.1.X (front end) then connect them to the other servers that will be sitting in our Internal network.

Could the same setup be also implemented with the CAS servers if we decided to go with a HLB and 2 Exchange servers?

0
 

Author Comment

by:llarava
ID: 34219581
Doing some reading I have found that placing CAS servers in the DMZ is not supported. Exchange 2003 was the last version to support putting Front-End/CAS in a DMZ. There cannot be any firewalls between CAS & Mailbox servers.

Unfortunately the buget is not going to be flexibe enough to get a 2 TMG/ISA servers + HDLB + Exchange CALs + Exchange Mailboxes CALs + Office 2010 Cals, etc...

Are there any other alternatives?



0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 36

Assisted Solution

by:Jian An Lim
Jian An Lim earned 166 total points
ID: 34272546
I am not sure how to continue with this topic.

If you have to a HA on every point and keep your security, you will need

Internal
2 MBX
2 CAS/HB



DMZ
2 ISA/TMG


you can save that 2 ISA server if you decide to compromise it to directly NAT them to the internal


======================

OK, now we know your budget cannot cope it.

so let's explore another option

there is a software out there, called CA Arcserve HA (was called Xosoft)
http://arcserve.com/us/highavailability.aspx


This software will able to let you run everything in one server and mimic it to another server

so

SERVER A
Windows Standard 2008 r2
Exchange Standard 2010  (no enterprise) MBX/HUB/CAS
CA Arcserve D2D


SERVER B
Windows Standard 2008 r2
Exchange Standard 2010  (no enterprise) MBX/HUB/CAS
CA Arcserve D2D





This software will sort out your High Availability with all roles, and of course, you need to test how much "high availability" you want to achieve.


My experience with the product is good so you probably want to try to see whether it fulfil your requirement.



0
 

Author Comment

by:llarava
ID: 34273610

Option A

Internal
2 MBX
2 CAS/HB --> Microsoft NLB configured


DMZ
2 ISA/TMG

OR

Option B

Internal
2 CAS/HB/MBX
1 Hardware Load Balancer

DMZ
2 ISA/TMG

In either option:

I will save that 2 ISA server and directly NAT them to the internal

Note: I prefer not to introduce any other piece of software also Hardware LB solution is suggested in the MS site.

Questions:

A-What are the risks and issues that I can have if I have to go with NATing internally without a Reverse Proxy?
B-Regarless of the Reverse Proxy whcih do you think seems more reliable, why?  
C- We do not own a RP solution - Besides Exchange can you think of any other ways that we could use this in the company?

Thank you!
0
 
LVL 36

Expert Comment

by:Jian An Lim
ID: 34275413
okay

ISA/TMG will give you a few benefit.
1. your exchange server is not exposed directly to internet.
2. other SSL acceleration  , encryption, bridging, offloading and etc

Refer more to
http://technet.microsoft.com/en-us/library/bb266987%28EXCHG.80%29.aspx

so your question
A: risk is your host is exposed to internet directly, issues doesnt comes in until your host is compromised. But don't think exchange itself is not secure. It is just EXTRA layer of protection

Imagine, you not only protect your OWA/activesync, you also need to protect your hub server as it also directly expose to internet.


B: having exchange to run directly as itself give you less dependency on another piece of software.

I have client that run without Reverse Proxy on CAS and they run fine. but some form of protection on SMTP is provided, you can outsource this "Edge Server" part to others like mailguard.com.au

C. you can utilise ISA in alot of part
like secure smtp filtering
web page publishing.
internal client/web proxy from workstation


more reading refer to
http://technet.microsoft.com/en-us/library/cc526343.aspx
http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/features.aspx



introducing ISA is like introducing another layer of protection as it is a software/application layer firewall
0
 

Author Comment

by:llarava
ID: 34275714
Thanks. We have about 400 mailboxes and we outsourced our mail AV with Postini Services from the options I gave in post  ID:34273610 which option do you think is a better approach? What are your clients generally doing in order to deploy a cost/effective solution?

I don't know if someone here is familiar with Postini but I wonder if using Postini will change anything on the scenarios that were provided before? I would appreciatte if someone can provide some input about this as well?

0
 
LVL 36

Expert Comment

by:Jian An Lim
ID: 34277026
i am not a postini experts so i cannot comment on that.

But by reading it, it at least protect your email from internet,



so having website having the internet, you actually reduce a lot of potential intruder knowing your smtp server.


but again, you need to check with postini whether you can do it or not, but by my reading, it says it can.


In this case, you probably can choose not to use ISA.
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 34288939
Hi Luis.

Thankyou for messaging me to come and have a look at this question. I will review it this evening (about 6 hours away) and post back here.

Thanks

Andy
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 34291021
Luis,

I see the question has been answeres correctly and to your satisfaction. I agree with the accepted answer

Andrew
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Are you unable to connect or configure Hotmail email account in Microsoft Outlook 2010, 2007? Or Outlook.com emails are not downloading to Outlook? Lets’ see the problem and resolve Outlook Connector error syncing folder hierarchy (0x8004102A).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now