Using MS Exchange Edge Transport in the DMZ
Looking to get feedback on using MS Exchange servers running the Edge Transport role in the DMZ.
Microsoft Exchange 2010 Environment with the following:
8 Mailbox Servers, 4 in two sites ( 1 DAG, Each database on three servers two local , one remote.)
6 CAS servers, 3 each site.
4 Hub Transport Servers, 2 each site.
Now we are looking to include 2 servers in the DMZ and MS Exchange Edge Servers. Currently in the DMZ is a Unix server running Postfix. I called MS to assist with the connector config. The MS Engineer that I spoke with seems to know little about Edge server config other then out of the box click to setup.
We have a data loss prevention appliance, basically it acts as a SMTP relay and prevent messages if they have specific content. MS called me late Friday and the engineer told me that the Hub servers needed to send directly to the Edge servers, otherwise it is not supported. I asked for reference documentation.
Outbound Mail Flow After changes:
Exchange 2010 Hub Servers -> Data Loss Prevention -> MS Exchange Edge Servers in DMZ -> Unix Postfix -> MS Forefront Online Service -> Internet
( I know this seems a bit complex, we plan on phasing out the Unix Postfix later and just have the Edge send to the MS Forefront Online service)
If anyone could report back on use of MS Exchange Edge sending between mail systems other than straight MS Exchange Hub to MS Exchange Edge , I would appreciate it. I know that the automatic configuration and setup would define the connects that way, just need to find out if it is supported to use when using another SMTP relay as a middle man.
Thanks,
Mark
Microsoft Exchange 2010 Environment with the following:
8 Mailbox Servers, 4 in two sites ( 1 DAG, Each database on three servers two local , one remote.)
6 CAS servers, 3 each site.
4 Hub Transport Servers, 2 each site.
Now we are looking to include 2 servers in the DMZ and MS Exchange Edge Servers. Currently in the DMZ is a Unix server running Postfix. I called MS to assist with the connector config. The MS Engineer that I spoke with seems to know little about Edge server config other then out of the box click to setup.
We have a data loss prevention appliance, basically it acts as a SMTP relay and prevent messages if they have specific content. MS called me late Friday and the engineer told me that the Hub servers needed to send directly to the Edge servers, otherwise it is not supported. I asked for reference documentation.
Outbound Mail Flow After changes:
Exchange 2010 Hub Servers -> Data Loss Prevention -> MS Exchange Edge Servers in DMZ -> Unix Postfix -> MS Forefront Online Service -> Internet
( I know this seems a bit complex, we plan on phasing out the Unix Postfix later and just have the Edge send to the MS Forefront Online service)
If anyone could report back on use of MS Exchange Edge sending between mail systems other than straight MS Exchange Hub to MS Exchange Edge , I would appreciate it. I know that the automatic configuration and setup would define the connects that way, just need to find out if it is supported to use when using another SMTP relay as a middle man.
Thanks,
Mark
ASKER
Data Loss Prevention scans for account codes and social security numbers, etc. to prevent those items from being sent out in an email.
Thanks,
Mark
Thanks,
Mark
ASKER
Here is the second answer:
If mail goes from the Hub top the Edge servers directly then I loose the ability to have the DLP device in the internal network since the Edge should be in the DMZ.
Thanks,
Mark
Is the product called EMC RSA DLP Enterprise Manager ?
ASKER
I have left the name of the product out intentionally. You let your email server send mail and it will forward to a SMTP destinations the ones it deems safe to send.
Thanks,
Mark
Thanks,
Mark
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
MS wanted to have Hub -> Edge, rather then fight with support each time and have a rare configuration other plans are being made. Thanks for your help.
Let me know what the final configuration looks like. Would definitely want to know how this worked out during deployment.
>> What's the function of DLP appliance ?
What happens if you get hub servers to talk directly to edge ? What functionality do you lose ?