Solved

Exchange 2010 - To edge or not to edge...

Posted on 2011-09-26
5
643 Views
Last Modified: 2012-05-12
Not a problem so much as advice sought.

I am in the process of setting up a home/lab environment based on Microsoft products. They are all virtualised and currently have 3 servers (one more to come). The environment consists of a DC running 2008R2, a Forefront TMG, an exchange 2010 server, which is the process of being set up, and eventually an IIS/app server.

TMG has been set up as a three leg perimeter, with the DMZ marked as private (ultimately the DMZ will host the IIS server). I am a little unsure on how to set up the exchange environment though.

It will be a small setup, probably less than 10 mailboxes, and I originally intended putting all roles on the same machine as it will get such a small number of hits. I read originally that the Hub Transport can be set up to do the job of an Edge Transport, which in small environments is how MS suggests doing things. However, I got to wondering where to locate the server.

Firstly, am I right in saying that the CAS needs to go in the internal network and that the Edge Transport needs to go in the DMZ (a strange concept for me as I thought, for OWA, the CAS needed outside access and should therefore be in the DMZ)? Can I get away without creating a separate Edge Transport server even if its in the internal LAN? And finally, if I were to set up the Hub Transport to do the job of the Edge Transport (if I understand that correctly) and this were all on the internal LAN, what do I lose out on anything in terms of security for example (I'm sure it can't just be down to resources, and how much mail is being processed).

I am torn between using up more system resources creating a whole new VM just for this role, and keeping it all simple. This is partly for furthering my own understanding, but at the same time, I don't want it all falling over because the kit is underspec'ed.
0
Comment
Question by:Wavey_Dave_76
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 7

Accepted Solution

by:
Chris Patterson earned 250 total points
ID: 36601158
Firstly, am I right in saying that the CAS needs to go in the internal network and that the Edge Transport needs to go in the DMZ (a strange concept for me as I thought, for OWA, the CAS needed outside access and should therefore be in the DMZ)?

Yes, the CAS is located on the internal network and the Edge Transport server is in the DMZ.


Can I get away without creating a separate Edge Transport server even if its in the internal LAN?

Yes, the Edge Transport role is technically optional.

And finally, if I were to set up the Hub Transport to do the job of the Edge Transport (if I understand that correctly) and this were all on the internal LAN, what do I lose out on anything in terms of security for example (I'm sure it can't just be down to resources, and how much mail is being processed).

In this scenario, you will be exposing your "internal" Hub Transport to the internet by way of open ports for mail flow to work properly.  This is the reason the Edge Transport role exists, to create a hardened Exchange server in the DMZ for mail flow, while limiting security vulnerabilities.
0
 
LVL 7

Author Comment

by:Wavey_Dave_76
ID: 36708240
So by ignoring the edge transport, it basically just means less security in terms of internal services open to the outside world? There is no loss of any function, or integration with Forefront.

In short, if security is enough of a consideration to have a DMZ in the first place, a seperate edge server should be installed...
0
 
LVL 3

Expert Comment

by:Tommy_Cooper
ID: 36709766
I haven't got around to looking at Forefront TMG yet, but this is the updated ISA server, right?

In that case, the TMG will have 'publishing' rules that will allow you to expose your internal server for SMTP and HTTPS (OWA). This is application filtering and will add an additional layer of security.  This would be a configuration supported by MSft.


 

0
 
LVL 7

Expert Comment

by:Chris Patterson
ID: 36710328
You are correct Wavey.
0
 
LVL 7

Author Closing Comment

by:Wavey_Dave_76
ID: 36712719
Pretty much confirmed the conclusions I was coming to. Thanks guys
0

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In-place Upgrading Dirsync to Azure AD Connect
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question