Solved

Migration to Exchange 2013 SP1 - Edge Transport Role

Posted on 2014-12-19
6
340 Views
Last Modified: 2014-12-22
We're planning on moving to Exchange 2013 SP1. From all the information I could find, it seems that the Edge Transport role is to be placed in the perimeter network for incoming SMTP traffic. My question is, let's say the CAS role (along with the Mailbox Server role) resides on our internal network - do Outlook 2010/2013 users that connect to our organization from the outside do so through the Edge Transport server, or would they connect directly to our internal corporate LAN where the CAS is hosted?

And if they connect directly to out internal corporate LAN where our CAS is hosted, is there a way to force that traffic instead to go through the Edge Tranport server first, or would the CAS role also have to be installed on our perimeter network for this to work?

Basically, we would prefer that any traffic coming through the outside goes through our DMZ first. We would like to avoid having to open any port to our corporate LAN. I really appreciate any insight someone could offer into this. Thanks.

- Dave
0
Comment
Question by:glass81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 17

Expert Comment

by:Ivan
ID: 40510253
Hi,

as I know Edge is only there for SMTP flow, meaning that only email coming or going to your organization will go thru it.
Client connections for Outlook Anywhere, POP3, IMAP will go directly to CAS, so you would have to open SSL and any other required port.

Edge is not a part of AD domain, so it cannot authenticate clients. Clients are authenticated and then proxy from CAS to Mailbox.

Regards,
0
 

Author Comment

by:glass81
ID: 40510349
So there's no way to accept connections for CAS from the edge transport server - kind of like routing all requests through there first? Maybe I'm off base here, but it sounds convenient to have port 443 open on the edge transport server as opposed to opening it directly on your internal corporate LAN.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40510650
Edge is a waste of money in my opinion, for exactly the reasons you have identified - it only does SMTP traffic. It has nothing to do with any other role. Therefore I never deploy one. I can achieve 90% of the functionality of Edge with third party products, and usually get more functionality that Edge cannot provide from those same products.

Most deployments I do will bring port 443 straight in to Exchange. Putting it through a DMZ does nothing for security. If you have a 1990s security policy that states nothing internal should be exposed to the internet, then use a separate server to do ARR.

The Exchange product team has outlined how to do that for Exchange 2013 here:
http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx

Also, I wouldn't be deploying Exchange 2013 SP1. That is very old now (effectively CU 4). New deployments should go straight to CU7. The cumulative updates are the complete product, so just download it from the public site, extract and install.

Simon.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40510818
I agree with Simon. And if I could give him a +1 I would. ;)

There are a number of reverse proxies on the market. Many doing double duty as load balancers as well. ARR is a great free alternative from Microsoft. But it requires a server in the DMZ with IIS installed.
0
 

Author Comment

by:glass81
ID: 40513439
Unfortunately Simon, we kind of do have that type of network. I understand that if our server hosting ARR is compromised in the DMZ, it would be just as bad as having our CAS compromised on our internal network.

I can't convince the IT Director otherwise, but I do appreciate the clarification, and ultimately, your help on this topic.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40513443
If they don't want to go with ARR, then you could look at a reverse proxy / load balancer like a KEMP.
http://kemptechnologies.com/solutions/reverse-proxy/

They offer them as hardware or virtual models.
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Multi-threading long-running processes can have a significant increase in overall performance and drastically decrease over time it takes for a process to complete. Unfortunately, not all applications support native multi-threading, some by design a…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question