Upgrade exchange 2003 to 2010, 2003 has no internet facing server (no mobile access)

I'm planning an exchange 2003 to 2010 coexistence to full migration.
I currently have no mobile/internet users. I have just exchange 2003 and exchange smtp delivery gateways. I have no front end server for my internal owa users (yes, you can actually have that configuration and still use owa, it's some kind of loophole in Exchange 2003).
I assume internet facing exchange will be required for 2010.
How should I proceed, and which roles should I install first?
I have my sans certificate from Digicert ready but unpopulated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
"no front end server for my internal owa users (yes, you can actually have that configuration and still use owa, it's some kind of loophole in Exchange 2003)."

It isn't a loophole.
A frontend server was never required. You would only deploy one if you had multiple backend servers.

Are you planning to have the roles on separate servers? If so, then you are going against best practise. I haven't separated the roles out for over five years, never on Exchange 2010. I see no point. Best practise is all roles on all servers, with the servers configured as identically as possible.

Therefore just install your first Exchange server, configure the SSL certificate as appropriate, replicate the public folders then do a standard migration.
If you are going to coexist, with Exchange 2003 users using OWA and ActiveSync then you will need a legacy URL for Exchange 2003, with the Exchange 2003 server directly exposed to the internet.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gareth GudgerSolution ArchitectCommented:
challBOEAuthor Commented:
I have three user mailbox servers and 5 (little) just-smtp-delivery servers ( redundancy over 2 locations and two ips providers). A third (party spamsoap) filters and delivers mail incoming. It's the only thing allowed into the LAN. Outgoing mail connects to internet directly through exchange smtp services, but outgoing only. I have no user mailboxes on those gateways.
You all expose mailbox servers to the internet? No DMZ connection to a cal server then authenticate then get access to a mailbox server?
Am I overthinking this?
Thanks for your answers.
(I have 700 users. 300 perms and 400 temps who come and go).
challBOEAuthor Commented:
Thank you both. Gareth provided a more detailed reference so got the majority of points
Simon Butler (Sembee)ConsultantCommented:
A DMZ doesn't improve your network security.
Furthermore the only role supported in a DMZ is Edge, which is for SMTP traffic, no other roles are supported in a perimeter network.
I have no problem with exposing Exchange servers straight to the internet. You only need two ports open - 443 and 125. As long as you enforce decent network security on the server and keep it patched then you are fine.

Keep everything very simple. All roles on all servers. If you want redundancy then look at a DAG, an internal load balancer and perhaps a cloud based load balancer for incoming traffic.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.