DMZ - Internal Network (Full Version)

All Forums >> [Microsoft Exchange 2007] >> Installation



Message

felipeg007 -> DMZ - Internal Network (23.Feb.2007 5:40:11 PM)

I am trying to get all my ducks in a row.

I am going to build 2 exchange servers running CCR and a edge transport server in the DMZ.

So it will look like this:
                               /------>DMZ - Edge transport server
                              /
Internet ----(Firewall)
                              \
                                \------>Internal - 2 - server CCR - HUB Tran & Mail Role
                                                          

Where do my users point to , to access OWA.
I would think the server in the DMZ.
or am i Missing something?

Where do I place my Client server role?



Henrik Walther -> RE: DMZ - Internal Network (25.Feb.2007 5:53:04 AM)

Best practice is to publish Exchange using an ISA server deployed in your DMZ, but if you don't have an ISA server you just point your Internet clients (OWA, EAS, POP3/IMAP4), Outlook Anywhere to your CAS on the internal network.



felipeg007 -> RE: DMZ - Internal Network (25.Feb.2007 8:37:40 PM)

what about my external clients. shouldnt they point to a server in the dmz.
similar to the old front end server scenerio



Henrik Walther -> RE: DMZ - Internal Network (26.Feb.2007 5:34:15 AM)

External clients should point to the ISA Server or if you don't have an ISA Server to the Client Access Server (the new front-end server in E2K7) on the internal network.



felipeg007 -> RE: DMZ - Internal Network (5.Mar.2007 5:59:41 PM)

correct me if i am wrong but with exchange 2007 Client Access Server -  (the new front-end server in E2K7) sitting on the mailbox server role that sits inside my internal network. isnt that a security risk. i now need to allow https access to my internal network.

how would i go about setting this up in the dmz like old exchange 2003.
internet ---- dmz(front end) ---->internal (exchange 2003)
the old way i never had to allow access directly to my internal network.



Henrik Walther -> RE: DMZ - Internal Network (6.Mar.2007 2:45:01 AM)

Most people use an ISA Server or another reverse proxy to publish the services on the CAS nowadays.



SilverICE -> RE: DMZ - Internal Network (6.Mar.2007 9:05:53 AM)

If you're going to use CCR then you cannot install any other server roles except the mailbox role on it.  You'll have to provision additional boxes for the HT and CAS roles.  Allow SMTP, https, etc. to only touch those boxes....



Henrik Walther -> RE: DMZ - Internal Network (6.Mar.2007 9:35:55 AM)

Yes they need to be on separate machines, didn't look that closely at the scenario diagram....



felipeg007 -> RE: DMZ - Internal Network (6.Mar.2007 2:16:58 PM)

Man exchange 2007 is way more complix then exchange 2003 ever was.

Am I on the right track then:

                              /------>DMZ - Edge transport serverC
                             /
Internet ----(Firewall)
                             \
                               \------>Internal - ServerA - CCR - Mail Role  -cluster

                                                           ServerB - CCR - Mail Role -cluster

Can I place the 4th server in the dmz  - ServerD - Hub Trans & Client Access.
or is this a bad ideal due to the traffic that regular outlook clients will generate.

Also I thought every mail role has to have a Hub trans or else email will not route.

Thanks again for everyones help



Henrik Walther -> RE: DMZ - Internal Network (6.Mar.2007 3:17:30 PM)

Yes you got the scenario right this time [8D]

But no HT and CAS should as mentioned be located on your internal network, this is not only my personal opinion but also MS best practice.



felipeg007 -> RE: DMZ - Internal Network (6.Mar.2007 4:26:07 PM)

I found more info on this topic and wanted to share it. This is from the DepSimple.doc from microsoft.

Understanding the Differences Between a Front End Server and a Client Access Server
Earlier versions of Microsoft Exchange supported a front-end server within an organization. A computer that is running the Exchange 2007 Client Access server role is very different from an Exchange 2003 front-end server. In earlier versions of Microsoft Exchange, the front-end server accepted requests from clients and sent them to the appropriate back-end server for processing. This provided increased capacity for the number of concurrent client sessions within an organization and decreased the load on the back-end server that housed the mailboxes. A front-end server was frequently located in a perimeter network between the external and internal firewalls. One of the primary advantages to a front-end server was the ability to expose a single, consistent namespace when multiple back-end servers were present. Without a front-end server, Outlook Web Access users would have to know the name of the server that stored their mailbox. By including a front-end server, users could access a single URL for Outlook Web Access. The front-end server would proxy the user's request to the appropriate back-end server.
In Exchange 2007, the Client Access server role was designed specifically to optimize the performance of the Mailbox server role by handling much of the processing that previously occurred on back-end servers. Business logic processes, such as Exchange ActiveSync mailbox policies and Outlook Web Access segmentation, are now performed on the Client Access server instead of the Mailbox server. Because the Mailbox server role relies on the Client Access server role to handle incoming client connections, each Active Directory site that has a Mailbox server must also have a Client Access server. Both roles can run on one physical computer. If you have multiple Active Directory sites and want a single external URL for Outlook Web Access or Exchange ActiveSync, you must configure your Client Access servers for proxying.
An Exchange 2007 computer that is running the Client Access server role uses the Exchange RPC protocol to connect to the Mailbox server that it services. You must use a high-bandwidth and low-latency connection between the Client Access server and the Mailbox server. The minimum recommended bandwidth is 100 Mbps, but 1-Gpbs connections should be considered for enterprise datacenters.



felipeg007 -> RE: DMZ - Internal Network (6.Mar.2007 4:33:36 PM)

                                /------>DMZ -  ServerC - Edge transport
                              /                         ServerD - Hub Trans & Client Access
                             /
                            /
Internet ----(Firewall)
                            \
                              \------>Internal - ServerA - CCR - Mail Role  -cluster

                                                          ServerB - CCR - Mail Role -cluster 

Thanks to everyones help I think i finally created a correct diagram.






Henrik Walther -> RE: DMZ - Internal Network (7.Mar.2007 2:19:17 AM)

So you stil want to place the Hub Transport and Client Access servers in the DMZ?



felipeg007 -> RE: DMZ - Internal Network (7.Mar.2007 10:14:18 AM)

I prefer not to place it in the dmz but your last post said unless i misunderstood,

"But no HT and CAS should as mentioned be located on your internal network, this is not only my personal opinion but also MS best practice"

I have also seen that CAS is very bandwidth sensitive. so placing it in the dmz may trigger some errors. And not placing it in the dmz requires ports from the internet directly to the CAS server.

I am not using ISA server we run Checkpoint NGX.



Henrik Walther -> RE: DMZ - Internal Network (8.Mar.2007 1:57:06 AM)

Yes as mentioned it should be on your internal network, it as just your diagram that showed the HT and CAS still were in the DMZ.



felipeg007 -> RE: DMZ - Internal Network (13.Mar.2007 10:10:30 AM)

If i am already useing an smtp server for email coming into my network do i stilll need an edge transport. We currently use mailsweeper by clearswift.

by the way i recieved my book yesterday. from what i have read so far. Great job!



Henrik Walther -> RE: DMZ - Internal Network (13.Mar.2007 11:08:55 AM)

If you have an existing SMTP gateway that filters out UCE in the DMZ, then no an Edge Transport server is not that important. Mailsweeper will do fine.

Good to hear you like it, actually I haven't see the paperback version yet. But the author copies are on their way...



red85toy -> RE: DMZ - Internal Network (15.Mar.2007 6:05:59 PM)

What about adding exchange 2007 edge transport a later date?  Can it be done?

For example: I am trying to get funding to upgrade to exchange 2007, but I don't think i will get approval to have a DMZ.  What if a do a simple install behind an ISA server firewall.   How hard would it be to later add a second exchange 2007 edge transport box?  Is there any configuration i could do now that would help in the transition next year or two years from now?

Planning for the best, but spending the least!



Henrik Walther -> RE: DMZ - Internal Network (16.Mar.2007 4:15:57 AM)

You can easily deploy the Edge Transport server in the DMZ at a later time.

EdgeSync subscription can be created when you're ready.



Page: [1]