Exchange 2010 Mailbox Resiliency question


We are planning to migrate from Ex 2003 Ent to Exchange 2010 Standard SP1

I am currently getting quotes for licenses and CALs.

We have an Exchange 2003 active-passive cluster for HA.

I have noticed that Exchange 2010 brings something new named Mailbox Resiliency which include a set of features for HA.

I am trying to figure out the number of Exchange 2010 Standard licenses that we need in order to keep the same type of HA solution that we have with Exchange 2003 (active-passive cluster).

I am assuming that with Mailbox Resiliency no matter which path you choose you are going to have a minimun of 2 servers (2 Ex 2010 lic) in order to implmenet HA.

Could someone let me know if that is correct?

Thank you
Who is Participating?

Improve company productivity with a Business Account.Sign Up

BigBadWolf_000Connect With a Mentor Commented:
Yes you will require one license per exchange server and for HA you will need two
Do a basic Exchange install on each server (Mailbox, CAS, and Hub). Setup a CAS Array and assign it to the mailbox

New-ClientAccessArray –Name “CAS Array” –Fqdn “” –Site “Default-First-Site-Name”
Set-MailboxDatabase DatabaseName -RpcClientAccessServer “”

Setup a DNS record pointing to your hardware load balancer. Then setup your DAG, create mailbox copies, and you're all done.

White paper and onfo on MR below....

llaravaAuthor Commented:
We have about 500 mailboxes in 2 Exchange 2003 (A-P cluster) and then to OWA servers with NLB.

Can we install the Exchange 2010 roles (mailbox, etc.) within 2 servers and implement HA Mailbox Resiliency? So 2 lic of Exch 2010 for this.

Then install CAS for OWA on 2 more severs an use NLB? If we do that we will need to buy 2 more Exch 2010 licenses?

Basically I would like to find a way to mimic what we have in Exchange 2003 in the new installation of Exchange 2010?    

Any suggestions?
llaravaAuthor Commented:
Also the CAS server will be on the DMZ so I am not sure if we want to install CAS in the same box we are having the other roles.
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

dhruvarajpConnect With a Mentor Commented:
2 servers give you  mailbox Mailbox Resiliency,  however when you install all three roles in a dag member
you can not use NLB to load balence cas/ht component on the same server( failover cluster and nlb can not be userd together ) to load balence ca/ht  you might want to a hardeare load balencer

in other words
if you have a "pair of exchange servers will have all three roles installed and dag configured" behind a load balencer you will get high availability for all three components

llaravaAuthor Commented:
We have the OWA 2003 servers with NLB sitting on the DMZ. But we don't have a reverse proxy solution. We are just NATing the OWA servers from a public IP to an IP on the DMZ.

public IP - NAted to - 172.30.1.X  

I could see that if we go with 2 CAS servers with NLB we could use public IP's and use NAT and place them in the DMZ 172.30.1.X (front end) then connect them to the other servers that will be sitting in our Internal network.

Could the same setup be also implemented with the CAS servers if we decided to go with a HLB and 2 Exchange servers?

llaravaAuthor Commented:
Doing some reading I have found that placing CAS servers in the DMZ is not supported. Exchange 2003 was the last version to support putting Front-End/CAS in a DMZ. There cannot be any firewalls between CAS & Mailbox servers.

Unfortunately the buget is not going to be flexibe enough to get a 2 TMG/ISA servers + HDLB + Exchange CALs + Exchange Mailboxes CALs + Office 2010 Cals, etc...

Are there any other alternatives?

Jian An LimConnect With a Mentor Solutions ArchitectCommented:
I am not sure how to continue with this topic.

If you have to a HA on every point and keep your security, you will need



you can save that 2 ISA server if you decide to compromise it to directly NAT them to the internal


OK, now we know your budget cannot cope it.

so let's explore another option

there is a software out there, called CA Arcserve HA (was called Xosoft)

This software will able to let you run everything in one server and mimic it to another server


Windows Standard 2008 r2
Exchange Standard 2010  (no enterprise) MBX/HUB/CAS
CA Arcserve D2D

Windows Standard 2008 r2
Exchange Standard 2010  (no enterprise) MBX/HUB/CAS
CA Arcserve D2D

This software will sort out your High Availability with all roles, and of course, you need to test how much "high availability" you want to achieve.

My experience with the product is good so you probably want to try to see whether it fulfil your requirement.

llaravaAuthor Commented:

Option A

2 CAS/HB --> Microsoft NLB configured



Option B

1 Hardware Load Balancer


In either option:

I will save that 2 ISA server and directly NAT them to the internal

Note: I prefer not to introduce any other piece of software also Hardware LB solution is suggested in the MS site.


A-What are the risks and issues that I can have if I have to go with NATing internally without a Reverse Proxy?
B-Regarless of the Reverse Proxy whcih do you think seems more reliable, why?  
C- We do not own a RP solution - Besides Exchange can you think of any other ways that we could use this in the company?

Thank you!
Jian An LimSolutions ArchitectCommented:

ISA/TMG will give you a few benefit.
1. your exchange server is not exposed directly to internet.
2. other SSL acceleration  , encryption, bridging, offloading and etc

Refer more to

so your question
A: risk is your host is exposed to internet directly, issues doesnt comes in until your host is compromised. But don't think exchange itself is not secure. It is just EXTRA layer of protection

Imagine, you not only protect your OWA/activesync, you also need to protect your hub server as it also directly expose to internet.

B: having exchange to run directly as itself give you less dependency on another piece of software.

I have client that run without Reverse Proxy on CAS and they run fine. but some form of protection on SMTP is provided, you can outsource this "Edge Server" part to others like

C. you can utilise ISA in alot of part
like secure smtp filtering
web page publishing.
internal client/web proxy from workstation

more reading refer to

introducing ISA is like introducing another layer of protection as it is a software/application layer firewall
llaravaAuthor Commented:
Thanks. We have about 400 mailboxes and we outsourced our mail AV with Postini Services from the options I gave in post  ID:34273610 which option do you think is a better approach? What are your clients generally doing in order to deploy a cost/effective solution?

I don't know if someone here is familiar with Postini but I wonder if using Postini will change anything on the scenarios that were provided before? I would appreciatte if someone can provide some input about this as well?

Jian An LimSolutions ArchitectCommented:
i am not a postini experts so i cannot comment on that.

But by reading it, it at least protect your email from internet,

so having website having the internet, you actually reduce a lot of potential intruder knowing your smtp server.

but again, you need to check with postini whether you can do it or not, but by my reading, it says it can.

In this case, you probably can choose not to use ISA.
Hi Luis.

Thankyou for messaging me to come and have a look at this question. I will review it this evening (about 6 hours away) and post back here.



I see the question has been answeres correctly and to your satisfaction. I agree with the accepted answer

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.