Recommendations for best practices / checklists on switching e-mail security appliance?

I'm looking into what all needs to be done as far as switching from an existing security appliance for e-mail to a different one, in a mixed Exchange 2010/2007 environment.
The new appliance we'd be switching over to will have a new/different IP address than the existing e-mail security appliance.
At this point, I think what all I need to do is, besides configuring the actual email security appliance itself:
Open minimum ports needed for new security appliance in the DMZ to communicate with on-premise servers (complete)
Setup Receive Connectors on the Hub Transport servers to receive e-mail from the security appliance
Add SPF record to allow the new IP address of the appliance
Change MX record to point to the new appliance's external IP address
Update send connector in Exchange to use the new appliance
anything else I may be missing here?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jamie McKillopIT ManagerCommented:

You have most of the steps covered. Three other steps I would add:

- Make sure there is a PTR record for the public IP.
- If you have any applications setup to use your appliance as a mail relay, they will need to be updated to use the new IP or host name.
- If there is a personal quarantine or other feature that users would interact with (spam reports, etc.) make sure you communicate any changes and provide user training.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You might want to bring over any black/white lists. Other than that, you look like you have things covered. You should be able to run the systems in parallel for at least a few hours, so to minimizes the risk.
garryshapeAuthor Commented:
Ok thanks for the great info.
I'm wondering then, since I actually have two new appliances, and am cutting over to one, how I would create records to failover to the secondary appliance in the event the main one goes down.

Is the only way there to create a load balancer with a priority?

So we have internal dns setup like We'd have the DNS setup to point that to our main e-mail security appliance, but if it goes down, I guess we'd have to manually update the DNS to point to the failover/secondary appliance?
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

Jamie McKillopIT ManagerCommented:
With Exchange, you can setup multiple smart hosts on the send connector. You will run into issues with any applications you have that are using the appliance as a mail relay as they would typically only be able to configure one smart host.

For inbound email, you would just have two separate public IPs and two MX records.

garryshapeAuthor Commented:
Ok yeah that's what it was. Applications using the appliance as mail relay.
Some applications use the appliance as mail relay, while other applications use the Hub Transport servers as mail relay.
Kind of hard to know what the best practice is on that one
Jamie McKillopIT ManagerCommented:
I prefer to have my applications relay through my appliance for a couple of reasons.

- If my applications are sending a majority of their email outside the organization, relaying through Exchange just adds an extra hop.
- I can use the edge defenses on the appliance to throttle the applications. I've seen cases where an app, such as a monitor tool, goes crazy and sends tens of thousands of email at once.
- The logs on the appliance easier to search, which makes it easier to track messages sent outside the organization.
- The host name or IP can usually be re-used when upgrading appliances. This is much harder when moving to a new version of Exchange and I don't want to track down every application owner to have them change the mail relay they are using.

garryshapeAuthor Commented:
Awesome, thanks so much !
garryshapeAuthor Commented:
I have a follow up question. How do you do the throttling on the smarthost appliance? is that referred to as throttling or a different feature usually? Is it by server name/IP?
Jamie McKillopIT ManagerCommented:
That depends on the functionality of your appliance. On my appliance, there is a throttle policy, which I can apply to a list of IPs/Host names.

garryshapeAuthor Commented:
Ok thank you

Well our appliance is in the DMZ
So does that make it more of a security risk if we need to open up port 25 in the firewall to the appliance those application servers on the inside to connect to?
Jamie McKillopIT ManagerCommented:
No, it should be more secure in the DMZ. You can then selectively decide which ports need to be opened and to which systems.

garryshapeAuthor Commented:
Ok thanks again very much.

Also, any need to use a different port besides 25?? for those applications, from any security standpoint?
garryshapeAuthor Commented:
Ok thanks again very much.

Also, any need to use a different port besides 25?? for those applications, from any security standpoint?
Jamie McKillopIT ManagerCommented:
No, I would stick to 25.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.