glass81
asked on
Migration to Exchange 2013 SP1 - Edge Transport Role
We're planning on moving to Exchange 2013 SP1. From all the information I could find, it seems that the Edge Transport role is to be placed in the perimeter network for incoming SMTP traffic. My question is, let's say the CAS role (along with the Mailbox Server role) resides on our internal network - do Outlook 2010/2013 users that connect to our organization from the outside do so through the Edge Transport server, or would they connect directly to our internal corporate LAN where the CAS is hosted?
And if they connect directly to out internal corporate LAN where our CAS is hosted, is there a way to force that traffic instead to go through the Edge Tranport server first, or would the CAS role also have to be installed on our perimeter network for this to work?
Basically, we would prefer that any traffic coming through the outside goes through our DMZ first. We would like to avoid having to open any port to our corporate LAN. I really appreciate any insight someone could offer into this. Thanks.
- Dave
And if they connect directly to out internal corporate LAN where our CAS is hosted, is there a way to force that traffic instead to go through the Edge Tranport server first, or would the CAS role also have to be installed on our perimeter network for this to work?
Basically, we would prefer that any traffic coming through the outside goes through our DMZ first. We would like to avoid having to open any port to our corporate LAN. I really appreciate any insight someone could offer into this. Thanks.
- Dave
ASKER
So there's no way to accept connections for CAS from the edge transport server - kind of like routing all requests through there first? Maybe I'm off base here, but it sounds convenient to have port 443 open on the edge transport server as opposed to opening it directly on your internal corporate LAN.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with Simon. And if I could give him a +1 I would. ;)
There are a number of reverse proxies on the market. Many doing double duty as load balancers as well. ARR is a great free alternative from Microsoft. But it requires a server in the DMZ with IIS installed.
There are a number of reverse proxies on the market. Many doing double duty as load balancers as well. ARR is a great free alternative from Microsoft. But it requires a server in the DMZ with IIS installed.
ASKER
Unfortunately Simon, we kind of do have that type of network. I understand that if our server hosting ARR is compromised in the DMZ, it would be just as bad as having our CAS compromised on our internal network.
I can't convince the IT Director otherwise, but I do appreciate the clarification, and ultimately, your help on this topic.
I can't convince the IT Director otherwise, but I do appreciate the clarification, and ultimately, your help on this topic.
If they don't want to go with ARR, then you could look at a reverse proxy / load balancer like a KEMP.
http://kemptechnologies.com/solutions/reverse-proxy/
They offer them as hardware or virtual models.
http://kemptechnologies.com/solutions/reverse-proxy/
They offer them as hardware or virtual models.
as I know Edge is only there for SMTP flow, meaning that only email coming or going to your organization will go thru it.
Client connections for Outlook Anywhere, POP3, IMAP will go directly to CAS, so you would have to open SSL and any other required port.
Edge is not a part of AD domain, so it cannot authenticate clients. Clients are authenticated and then proxy from CAS to Mailbox.
Regards,