Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

DMZ architecture for Edge Transport server and Web server

Posted on 2015-02-04
2
387 Views
Last Modified: 2015-03-27
We want to put our Edge transport 2013 server on a DMZ and our Web Server. What is the best architecture to do this? The Firewall is a Sonicwall SRA series firewall/router. Should I use Proxy's? Any info would help.

Thanks,
0
Comment
Question by:JRome225
2 Comments
 
LVL 42

Assisted Solution

by:Amit
Amit earned 250 total points
ID: 40591147
Design is pretty straight forward. I prefer to have two, so we can achieve the redundancy. Here is the article, which can help you to configure it
http://msexchangeguru.com/2014/03/24/e2013-edge/
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 40591168
I see the typical setup as shared by expert already with services where such port will be factor into your DMZ such as Perimeter FW (PFW) and Interior FW (IFW) or just that single FW (taking PFW and IFW roles logically segregating).  I did a slight edit on that below.

Actually Edge Transport servers are optional, it is normally used to satisfy the requirement that some Enterprise is secure by deployment will not permit any direct connectivity and comms from the internet to intranet regardless of FWs.

Internet <> PFW<> <EDGE Transport Server><>IFW<>Intranet
<SMTP 25>             < SMTP 25 and 2525>> Mailflow
                                 < DNS TCP/UDP – 53 >> DNS Resolution
                                 < RDP TCP 3389 >> Remote Desktop
                                 < LDAP – 50389 >> locally to bind to the AD LDS instance (no need to open port on PFW)
                                 < Secure LDAP – 50636 >> Directory sync from Mailbox servers to AD LDS

I do encourage you catch this article too as it sheds more the needs for the Edge Transport server - insights for consideration too.
The purpose of the Edge server role is to provide a solution for customers who require inbound SMTP connections to terminate in the perimeter network (DMZ), rather than in the internal network. Since most inbound SMTP connections are unauthenticated, some security departments are uneasy at allowing these connections directly to internal resources (your Exchange servers). Edge transport servers allow these customers to deploy Exchange without having to buy an SMTP gateway appliance.
So when does it make sense to deploy Exchange 2013 Edge Transport servers in your organization? You may want to consider Edge servers if:

Your company’s security policy requires that all non-authenticated SMTP traffic terminate in the perimeter network.
Your company does not use a hosted anti-malware solution, like Exchange Online Protection.
Your company needs enhanced recipient filtering capabilities that your hosted email filtering service does not provide.
You are planning an Office 365 hybrid deployment and need to terminate SMTP traffic in the perimeter network. Edge Transport servers are the only supported way to do this.
http://blog.enowsoftware.com/solutions-engine/bid/182845/Does-your-environment-need-an-Exchange-2013-Edge-Transport-server
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question