Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
DMZ - Internal Network
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
DMZ - Internal Network - 23.Feb.2007 5:40:11 PM
|
|
|
felipeg007
Posts: 54
Joined: 9.Aug.2006
Status: offline
|
I am trying to get all my ducks in a row.
I am going to build 2 exchange servers running CCR and a edge transport server in the DMZ.
So it will look like this:
/------>DMZ - Edge transport server
/
Internet ----(Firewall)
\
\------>Internal - 2 - server CCR - HUB Tran & Mail Role
Where do my users point to , to access OWA.
I would think the server in the DMZ.
or am i Missing something?
Where do I place my Client server role?
< Message edited by felipeg007 -- 23.Feb.2007 5:50:00 PM >
|
|
|
|
|
RE: DMZ - Internal Network - 25.Feb.2007 5:53:04 AM
|
|
|
Henrik Walther
Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: online
|
Best practice is to publish Exchange using an ISA server deployed in your DMZ, but if you don't have an ISA server you just point your Internet clients (OWA, EAS, POP3/IMAP4), Outlook Anywhere to your CAS on the internal network.
_____________________________
HTH
Henrik Walther
Exchange MVP | MCM: Exchange 2007
MCITP: EMA, MCITP: EA, MCSE: M+S
Order my Exchange Server 2007 Book!
|
|
|
|
|
RE: DMZ - Internal Network - 25.Feb.2007 8:37:40 PM
|
|
|
felipeg007
Posts: 54
Joined: 9.Aug.2006
Status: offline
|
what about my external clients. shouldnt they point to a server in the dmz.
similar to the old front end server scenerio
|
|
|
|
|
RE: DMZ - Internal Network - 26.Feb.2007 5:34:15 AM
|
|
|
Henrik Walther
Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: online
|
External clients should point to the ISA Server or if you don't have an ISA Server to the Client Access Server (the new front-end server in E2K7) on the internal network.
_____________________________
HTH
Henrik Walther
Exchange MVP | MCM: Exchange 2007
MCITP: EMA, MCITP: EA, MCSE: M+S
Order my Exchange Server 2007 Book!
|
|
|
|
|
RE: DMZ - Internal Network - 5.Mar.2007 5:59:41 PM
|
|
|
felipeg007
Posts: 54
Joined: 9.Aug.2006
Status: offline
|
correct me if i am wrong but with exchange 2007 Client Access Server - (the new front-end server in E2K7) sitting on the mailbox server role that sits inside my internal network. isnt that a security risk. i now need to allow https access to my internal network.
how would i go about setting this up in the dmz like old exchange 2003.
internet ---- dmz(front end) ---->internal (exchange 2003)
the old way i never had to allow access directly to my internal network.
|
|
|
|
|
RE: DMZ - Internal Network - 6.Mar.2007 2:45:01 AM
|
|
|
Henrik Walther
Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: online
|
Most people use an ISA Server or another reverse proxy to publish the services on the CAS nowadays.
_____________________________
HTH
Henrik Walther
Exchange MVP | MCM: Exchange 2007
MCITP: EMA, MCITP: EA, MCSE: M+S
Order my Exchange Server 2007 Book!
|
|
|
|
|
RE: DMZ - Internal Network - 6.Mar.2007 9:05:53 AM
|
|
|
SilverICE
Posts: 36
Joined: 19.Feb.2004
From: USA
Status: offline
|
If you're going to use CCR then you cannot install any other server roles except the mailbox role on it. You'll have to provision additional boxes for the HT and CAS roles. Allow SMTP, https, etc. to only touch those boxes....
|
|
|
|
|
RE: DMZ - Internal Network - 6.Mar.2007 9:35:55 AM
|
|
|
Henrik Walther
Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: online
|
Yes they need to be on separate machines, didn't look that closely at the scenario diagram....
_____________________________
HTH
Henrik Walther
Exchange MVP | MCM: Exchange 2007
MCITP: EMA, MCITP: EA, MCSE: M+S
Order my Exchange Server 2007 Book!
|
|
|
|
|
RE: DMZ - Internal Network - 6.Mar.2007 2:16:58 PM
|
|
|
felipeg007
Posts: 54
Joined: 9.Aug.2006
Status: offline
|
Man exchange 2007 is way more complix then exchange 2003 ever was.
Am I on the right track then:
/------>DMZ - Edge transport serverC
/
Internet ----(Firewall)
\
\------>Internal - ServerA - CCR - Mail Role -cluster
ServerB - CCR - Mail Role -cluster
Can I place the 4th server in the dmz - ServerD - Hub Trans & Client Access.
or is this a bad ideal due to the traffic that regular outlook clients will generate.
Also I thought every mail role has to have a Hub trans or else email will not route.
Thanks again for everyones help
|
|
|
|
|
RE: DMZ - Internal Network - 6.Mar.2007 4:26:07 PM
|
|
|
felipeg007
Posts: 54
Joined: 9.Aug.2006
Status: offline
|
I found more info on this topic and wanted to share it. This is from the DepSimple.doc from microsoft.
Understanding the Differences Between a Front End Server and a Client Access Server
Earlier versions of Microsoft Exchange supported a front-end server within an organization. A computer that is running the Exchange 2007 Client Access server role is very different from an Exchange 2003 front-end server. In earlier versions of Microsoft Exchange, the front-end server accepted requests from clients and sent them to the appropriate back-end server for processing. This provided increased capacity for the number of concurrent client sessions within an organization and decreased the load on the back-end server that housed the mailboxes. A front-end server was frequently located in a perimeter network between the external and internal firewalls. One of the primary advantages to a front-end server was the ability to expose a single, consistent namespace when multiple back-end servers were present. Without a front-end server, Outlook Web Access users would have to know the name of the server that stored their mailbox. By including a front-end server, users could access a single URL for Outlook Web Access. The front-end server would proxy the user's request to the appropriate back-end server.
In Exchange 2007, the Client Access server role was designed specifically to optimize the performance of the Mailbox server role by handling much of the processing that previously occurred on back-end servers. Business logic processes, such as Exchange ActiveSync mailbox policies and Outlook Web Access segmentation, are now performed on the Client Access server instead of the Mailbox server. Because the Mailbox server role relies on the Client Access server role to handle incoming client connections, each Active Directory site that has a Mailbox server must also have a Client Access server. Both roles can run on one physical computer. If you have multiple Active Directory sites and want a single external URL for Outlook Web Access or Exchange ActiveSync, you must configure your Client Access servers for proxying.
An Exchange 2007 computer that is running the Client Access server role uses the Exchange RPC protocol to connect to the Mailbox server that it services. You must use a high-bandwidth and low-latency connection between the Client Access server and the Mailbox server. The minimum recommended bandwidth is 100 Mbps, but 1-Gpbs connections should be considered for enterprise datacenters.
|
|
|
|
|
RE: DMZ - Internal Network - 6.Mar.2007 4:33:36 PM
|
|
|
felipeg007
Posts: 54
Joined: 9.Aug.2006
Status: offline
|
/------>DMZ - ServerC - Edge transport
/ ServerD - Hub Trans & Client Access
/
/
Internet ----(Firewall)
\
\------>Internal - ServerA - CCR - Mail Role -cluster
ServerB - CCR - Mail Role -cluster
Thanks to everyones help I think i finally created a correct diagram.
|
|
|
|
|
RE: DMZ - Internal Network - 7.Mar.2007 2:19:17 AM
|
|
|
Henrik Walther
Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: online
|
So you stil want to place the Hub Transport and Client Access servers in the DMZ?
_____________________________
HTH
Henrik Walther
Exchange MVP | MCM: Exchange 2007
MCITP: EMA, MCITP: EA, MCSE: M+S
Order my Exchange Server 2007 Book!
|
|
|
|
|
RE: DMZ - Internal Network - 7.Mar.2007 10:14:18 AM
|
|
|
felipeg007
Posts: 54
Joined: 9.Aug.2006
Status: offline
|
I prefer not to place it in the dmz but your last post said unless i misunderstood,
"But no HT and CAS should as mentioned be located on your internal network, this is not only my personal opinion but also MS best practice"
I have also seen that CAS is very bandwidth sensitive. so placing it in the dmz may trigger some errors. And not placing it in the dmz requires ports from the internet directly to the CAS server.
I am not using ISA server we run Checkpoint NGX.
|
|
|
|
|
RE: DMZ - Internal Network - 8.Mar.2007 1:57:06 AM
|
|
|
Henrik Walther
Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: online
|
Yes as mentioned it should be on your internal network, it as just your diagram that showed the HT and CAS still were in the DMZ.
_____________________________
HTH
Henrik Walther
Exchange MVP | MCM: Exchange 2007
MCITP: EMA, MCITP: EA, MCSE: M+S
Order my Exchange Server 2007 Book!
|
|
|
|
|
RE: DMZ - Internal Network - 13.Mar.2007 10:10:30 AM
|
|
|
felipeg007
Posts: 54
Joined: 9.Aug.2006
Status: offline
|
If i am already useing an smtp server for email coming into my network do i stilll need an edge transport. We currently use mailsweeper by clearswift.
by the way i recieved my book yesterday. from what i have read so far. Great job!
|
|
|
|
|
RE: DMZ - Internal Network - 13.Mar.2007 11:08:55 AM
|
|
|
Henrik Walther
Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: online
|
If you have an existing SMTP gateway that filters out UCE in the DMZ, then no an Edge Transport server is not that important. Mailsweeper will do fine.
Good to hear you like it, actually I haven't see the paperback version yet. But the author copies are on their way...
_____________________________
HTH
Henrik Walther
Exchange MVP | MCM: Exchange 2007
MCITP: EMA, MCITP: EA, MCSE: M+S
Order my Exchange Server 2007 Book!
|
|
|
|
|
RE: DMZ - Internal Network - 15.Mar.2007 6:05:59 PM
|
|
|
red85toy
Posts: 1
Joined: 15.Mar.2007
Status: offline
|
What about adding exchange 2007 edge transport a later date? Can it be done?
For example: I am trying to get funding to upgrade to exchange 2007, but I don't think i will get approval to have a DMZ. What if a do a simple install behind an ISA server firewall. How hard would it be to later add a second exchange 2007 edge transport box? Is there any configuration i could do now that would help in the transition next year or two years from now?
Planning for the best, but spending the least!
_____________________________
Thanks,
Rod Peterson
1985 Toyota Pickup
TLCA #9116
[IMG]http://www.crazypetersons.com/truck/gmail.gif[/IMG]
[IMG]http://www.crazypetersons.com/truck/welding.gif[/IMG]
|
|
|
|
|
RE: DMZ - Internal Network - 16.Mar.2007 4:15:57 AM
|
|
|
Henrik Walther
Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: online
|
You can easily deploy the Edge Transport server in the DMZ at a later time.
EdgeSync subscription can be created when you're ready.
_____________________________
HTH
Henrik Walther
Exchange MVP | MCM: Exchange 2007
MCITP: EMA, MCITP: EA, MCSE: M+S
Order my Exchange Server 2007 Book!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
