Solved

Exchange 2010 - To edge or not to edge...

Posted on 2011-09-26
5
638 Views
Last Modified: 2012-05-12
Not a problem so much as advice sought.

I am in the process of setting up a home/lab environment based on Microsoft products. They are all virtualised and currently have 3 servers (one more to come). The environment consists of a DC running 2008R2, a Forefront TMG, an exchange 2010 server, which is the process of being set up, and eventually an IIS/app server.

TMG has been set up as a three leg perimeter, with the DMZ marked as private (ultimately the DMZ will host the IIS server). I am a little unsure on how to set up the exchange environment though.

It will be a small setup, probably less than 10 mailboxes, and I originally intended putting all roles on the same machine as it will get such a small number of hits. I read originally that the Hub Transport can be set up to do the job of an Edge Transport, which in small environments is how MS suggests doing things. However, I got to wondering where to locate the server.

Firstly, am I right in saying that the CAS needs to go in the internal network and that the Edge Transport needs to go in the DMZ (a strange concept for me as I thought, for OWA, the CAS needed outside access and should therefore be in the DMZ)? Can I get away without creating a separate Edge Transport server even if its in the internal LAN? And finally, if I were to set up the Hub Transport to do the job of the Edge Transport (if I understand that correctly) and this were all on the internal LAN, what do I lose out on anything in terms of security for example (I'm sure it can't just be down to resources, and how much mail is being processed).

I am torn between using up more system resources creating a whole new VM just for this role, and keeping it all simple. This is partly for furthering my own understanding, but at the same time, I don't want it all falling over because the kit is underspec'ed.
0
Comment
Question by:Wavey_Dave_76
  • 2
  • 2
5 Comments
 
LVL 7

Accepted Solution

by:
Chris Patterson earned 250 total points
Comment Utility
Firstly, am I right in saying that the CAS needs to go in the internal network and that the Edge Transport needs to go in the DMZ (a strange concept for me as I thought, for OWA, the CAS needed outside access and should therefore be in the DMZ)?

Yes, the CAS is located on the internal network and the Edge Transport server is in the DMZ.


Can I get away without creating a separate Edge Transport server even if its in the internal LAN?

Yes, the Edge Transport role is technically optional.

And finally, if I were to set up the Hub Transport to do the job of the Edge Transport (if I understand that correctly) and this were all on the internal LAN, what do I lose out on anything in terms of security for example (I'm sure it can't just be down to resources, and how much mail is being processed).

In this scenario, you will be exposing your "internal" Hub Transport to the internet by way of open ports for mail flow to work properly.  This is the reason the Edge Transport role exists, to create a hardened Exchange server in the DMZ for mail flow, while limiting security vulnerabilities.
0
 
LVL 7

Author Comment

by:Wavey_Dave_76
Comment Utility
So by ignoring the edge transport, it basically just means less security in terms of internal services open to the outside world? There is no loss of any function, or integration with Forefront.

In short, if security is enough of a consideration to have a DMZ in the first place, a seperate edge server should be installed...
0
 
LVL 3

Expert Comment

by:Tommy_Cooper
Comment Utility
I haven't got around to looking at Forefront TMG yet, but this is the updated ISA server, right?

In that case, the TMG will have 'publishing' rules that will allow you to expose your internal server for SMTP and HTTPS (OWA). This is application filtering and will add an additional layer of security.  This would be a configuration supported by MSft.


 

0
 
LVL 7

Expert Comment

by:Chris Patterson
Comment Utility
You are correct Wavey.
0
 
LVL 7

Author Closing Comment

by:Wavey_Dave_76
Comment Utility
Pretty much confirmed the conclusions I was coming to. Thanks guys
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Familiarize people with the process of utilizing SQL Server views from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Access…
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now