[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 648
  • Last Modified:

Exchange 2010 - To edge or not to edge...

Not a problem so much as advice sought.

I am in the process of setting up a home/lab environment based on Microsoft products. They are all virtualised and currently have 3 servers (one more to come). The environment consists of a DC running 2008R2, a Forefront TMG, an exchange 2010 server, which is the process of being set up, and eventually an IIS/app server.

TMG has been set up as a three leg perimeter, with the DMZ marked as private (ultimately the DMZ will host the IIS server). I am a little unsure on how to set up the exchange environment though.

It will be a small setup, probably less than 10 mailboxes, and I originally intended putting all roles on the same machine as it will get such a small number of hits. I read originally that the Hub Transport can be set up to do the job of an Edge Transport, which in small environments is how MS suggests doing things. However, I got to wondering where to locate the server.

Firstly, am I right in saying that the CAS needs to go in the internal network and that the Edge Transport needs to go in the DMZ (a strange concept for me as I thought, for OWA, the CAS needed outside access and should therefore be in the DMZ)? Can I get away without creating a separate Edge Transport server even if its in the internal LAN? And finally, if I were to set up the Hub Transport to do the job of the Edge Transport (if I understand that correctly) and this were all on the internal LAN, what do I lose out on anything in terms of security for example (I'm sure it can't just be down to resources, and how much mail is being processed).

I am torn between using up more system resources creating a whole new VM just for this role, and keeping it all simple. This is partly for furthering my own understanding, but at the same time, I don't want it all falling over because the kit is underspec'ed.
0
Wavey_Dave_76
Asked:
Wavey_Dave_76
  • 2
  • 2
1 Solution
 
Chris PattersonCommented:
Firstly, am I right in saying that the CAS needs to go in the internal network and that the Edge Transport needs to go in the DMZ (a strange concept for me as I thought, for OWA, the CAS needed outside access and should therefore be in the DMZ)?

Yes, the CAS is located on the internal network and the Edge Transport server is in the DMZ.


Can I get away without creating a separate Edge Transport server even if its in the internal LAN?

Yes, the Edge Transport role is technically optional.

And finally, if I were to set up the Hub Transport to do the job of the Edge Transport (if I understand that correctly) and this were all on the internal LAN, what do I lose out on anything in terms of security for example (I'm sure it can't just be down to resources, and how much mail is being processed).

In this scenario, you will be exposing your "internal" Hub Transport to the internet by way of open ports for mail flow to work properly.  This is the reason the Edge Transport role exists, to create a hardened Exchange server in the DMZ for mail flow, while limiting security vulnerabilities.
0
 
Wavey_Dave_76Author Commented:
So by ignoring the edge transport, it basically just means less security in terms of internal services open to the outside world? There is no loss of any function, or integration with Forefront.

In short, if security is enough of a consideration to have a DMZ in the first place, a seperate edge server should be installed...
0
 
Tommy_CooperCommented:
I haven't got around to looking at Forefront TMG yet, but this is the updated ISA server, right?

In that case, the TMG will have 'publishing' rules that will allow you to expose your internal server for SMTP and HTTPS (OWA). This is application filtering and will add an additional layer of security.  This would be a configuration supported by MSft.


 

0
 
Chris PattersonCommented:
You are correct Wavey.
0
 
Wavey_Dave_76Author Commented:
Pretty much confirmed the conclusions I was coming to. Thanks guys
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now