• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 410
  • Last Modified:

Exchange Edge Server roles?

This may sound dumb so please humor me, I am new to exchange.
What traffice does and exchange edge server handle? Is it only designed to handle email relaying between my hub server and external mail servers? or does it also handle client connection from outside my network as well? (such as mobile devices and outlook)

If it doesn't handle the client traffic (which is what I suspect) how do I safely route client traffic to my interal client access server without exposing it and my network to the outside world?

Thanks
0
mattolan
Asked:
mattolan
  • 2
  • 2
  • 2
  • +1
3 Solutions
 
MegaNuk3Commented:
ET just does email. You can publish other things through ISA server to the outside world, most people don't bother though and just allow port 443 in as that is encrypted by SSL and is the only port needed for OWA, Outlook anywhere and Exchange ActiveSync to work
0
 
mattolanAuthor Commented:
That has me a bit confused, I am trying to understand why one would go throught the effort of filtering mail traffic before letting it into your network, but not filtering client traffic?
I am assuming the purpose is to try and prevent a security hole to the internal network, but isn't allowing unfiltered client access a potential security hole?
0
 
MegaNuk3Commented:
Yeah, it is a bit of a hole, but the traffic is encrypted and you have to authenticate to use any of the services so it's not all bad.
Some Big companies like banks just dont allow web services. Or you have to authenticate to a secure portal with a securid token to just use OWA...
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
firemanf29Commented:
Yes.  Letting traffic into your internal network over 443 is a potential security risk.  As MegaNuk3 statred You can setup ISA server as a filter to help protect the internal server.
0
 
firemanf29Commented:
You can also setup an SSLVPN device such as  Sonicwall.
0
 
mattolanAuthor Commented:
We have sonicwall devices set up, and also use DirectAccess with all of our laptops, I am wondering how a mobile phone would function if we were to require an ssl vpn first?
0
 
jbvernejCommented:
to be more clear:  
Egde Transport Role is a simple SMTP relay gateway with some extra fonctionnalities. IMO, It has been designed to host other AntiSpam:Antivirus products on it to scan and filter SMTP mailflow.
Edge doesn't process any other traffic ( neither https, neither pop/imap,etc...)

To secure Client Access Server (CAS) role, it is recommended to implement in a DMZ a REVERSE PROXY for HTTP/HTTPS, POP/s, IMAP/s traffics  . ISA Server or TMG can do this easly (with SSL traffic inspection), this is called "Publishing" in ISA TMG terminology.
For mobile access and mail sync with smartphone (via ActiveSYNC server), smartphones uses HTTPS to sync, so no VPN needed for moble phone;
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now