[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Exchange 2010 - To edge or not to edge...

Posted on 2011-09-26
5
Medium Priority
?
646 Views
Last Modified: 2012-05-12
Not a problem so much as advice sought.

I am in the process of setting up a home/lab environment based on Microsoft products. They are all virtualised and currently have 3 servers (one more to come). The environment consists of a DC running 2008R2, a Forefront TMG, an exchange 2010 server, which is the process of being set up, and eventually an IIS/app server.

TMG has been set up as a three leg perimeter, with the DMZ marked as private (ultimately the DMZ will host the IIS server). I am a little unsure on how to set up the exchange environment though.

It will be a small setup, probably less than 10 mailboxes, and I originally intended putting all roles on the same machine as it will get such a small number of hits. I read originally that the Hub Transport can be set up to do the job of an Edge Transport, which in small environments is how MS suggests doing things. However, I got to wondering where to locate the server.

Firstly, am I right in saying that the CAS needs to go in the internal network and that the Edge Transport needs to go in the DMZ (a strange concept for me as I thought, for OWA, the CAS needed outside access and should therefore be in the DMZ)? Can I get away without creating a separate Edge Transport server even if its in the internal LAN? And finally, if I were to set up the Hub Transport to do the job of the Edge Transport (if I understand that correctly) and this were all on the internal LAN, what do I lose out on anything in terms of security for example (I'm sure it can't just be down to resources, and how much mail is being processed).

I am torn between using up more system resources creating a whole new VM just for this role, and keeping it all simple. This is partly for furthering my own understanding, but at the same time, I don't want it all falling over because the kit is underspec'ed.
0
Comment
Question by:Wavey_Dave_76
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 7

Accepted Solution

by:
Chris Patterson earned 1000 total points
ID: 36601158
Firstly, am I right in saying that the CAS needs to go in the internal network and that the Edge Transport needs to go in the DMZ (a strange concept for me as I thought, for OWA, the CAS needed outside access and should therefore be in the DMZ)?

Yes, the CAS is located on the internal network and the Edge Transport server is in the DMZ.


Can I get away without creating a separate Edge Transport server even if its in the internal LAN?

Yes, the Edge Transport role is technically optional.

And finally, if I were to set up the Hub Transport to do the job of the Edge Transport (if I understand that correctly) and this were all on the internal LAN, what do I lose out on anything in terms of security for example (I'm sure it can't just be down to resources, and how much mail is being processed).

In this scenario, you will be exposing your "internal" Hub Transport to the internet by way of open ports for mail flow to work properly.  This is the reason the Edge Transport role exists, to create a hardened Exchange server in the DMZ for mail flow, while limiting security vulnerabilities.
0
 
LVL 7

Author Comment

by:Wavey_Dave_76
ID: 36708240
So by ignoring the edge transport, it basically just means less security in terms of internal services open to the outside world? There is no loss of any function, or integration with Forefront.

In short, if security is enough of a consideration to have a DMZ in the first place, a seperate edge server should be installed...
0
 
LVL 3

Expert Comment

by:Tommy_Cooper
ID: 36709766
I haven't got around to looking at Forefront TMG yet, but this is the updated ISA server, right?

In that case, the TMG will have 'publishing' rules that will allow you to expose your internal server for SMTP and HTTPS (OWA). This is application filtering and will add an additional layer of security.  This would be a configuration supported by MSft.


 

0
 
LVL 7

Expert Comment

by:Chris Patterson
ID: 36710328
You are correct Wavey.
0
 
LVL 7

Author Closing Comment

by:Wavey_Dave_76
ID: 36712719
Pretty much confirmed the conclusions I was coming to. Thanks guys
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question