Announcement

Collapse
No announcement yet.

edge server/role ex2010

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • edge server/role ex2010

    i am reading up and watching some videos on implementing exchange 2010 (not planning a migration/upgrade, just a general question) and the video keeps saying that the edge server isnt connected to the domain (security) and sits outside the network(firewall)/DMZ, which i get and it makes sense.

    the part that is confusing is when a second firewall is added.

    they explain it like this...

    network-----firewall/DMZ-----edge server-------firewall-------internet.

    i dont understand the purpose of the second firewall.

    if i ever upgraded to exchange 2010, i dont think i would use an edge server, we subscribe to a 3rd party service that handles email spooling, spam/virus scanning, but still curious to know the answer about the second firewall.

    thanks.

  • #2
    Re: edge server/role ex2010

    It is generally accepted practice to have (or consider having) two firewalls
    1) to separate your entire network from the internet (right hand one in your model)
    2) to separate your internal network (and all of active directory) from a "De Militarized Zone" (DMZ) which contains internet facing computers such as web servers and, for exchange, the ET server

    By design, DMZ servers are not domain members to increase domain security.
    http://en.wikipedia.org/wiki/DMZ_(computing)

    Although Microsoft would like you to use ET servers (extra Windows and Exchange license sale), it is well accepted that other solutions including services such as MessageLabs are as - or more - effective and may well be cheaper
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: edge server/role ex2010

      Originally posted by Ossian View Post
      It is generally accepted practice to have (or consider having) two firewalls
      1) to separate your entire network from the internet (right hand one in your model)
      2) to separate your internal network (and all of active directory) from a "De Militarized Zone" (DMZ) which contains internet facing computers such as web servers and, for exchange, the ET server

      By design, DMZ servers are not domain members to increase domain security.
      http://en.wikipedia.org/wiki/DMZ_(computing)

      Although Microsoft would like you to use ET servers (extra Windows and Exchange license sale), it is well accepted that other solutions including services such as MessageLabs are as - or more - effective and may well be cheaper
      good call on messagelabs, that is what we use.

      on my sonicwall, i can assign/dedicate an interface to an edge server and configure it as DMZ and isolate that from my LAN interface (the rest of my network).

      if i do that, would i still need a second firewall?

      Comment


      • #4
        Re: edge server/role ex2010

        No.

        The seperation done by the SonicWALL is more than adequate to keep your DMZ away from your LAN.

        This is exactly how we have our mail flow system setup using a SonicWALL.

        Comment


        • #5
          Re: edge server/role ex2010

          Originally posted by wullieb1 View Post
          No.

          The seperation done by the SonicWALL is more than adequate to keep your DMZ away from your LAN.

          This is exactly how we have our mail flow system setup using a SonicWALL.
          ok thanks. makes more sense knowing that.

          Comment


          • #6
            Re: edge server/role ex2010

            If you are using Message Labs or another external spam filter then the only benefit of an Edge server is to the bottom line of Microsoft.

            As far as I am concerned, Edge is a waste of everything - money, resources and time. I have never implemented an Edge server, as I see no point.

            Just restrict the SMTP traffic to Message Labs and have the email delivered directly in to Exchange. If you have some jobsworth "security" consultant who insists on nothing internet facing being inside the domain (if he does, shouldn't really be in the job), then stand up a standard Windows 2003 server or similar and use it to relay email in.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: edge server/role ex2010

              Originally posted by Sembee View Post
              If you are using Message Labs or another external spam filter then the only benefit of an Edge server is to the bottom line of Microsoft.

              As far as I am concerned, Edge is a waste of everything - money, resources and time. I have never implemented an Edge server, as I see no point.

              Just restrict the SMTP traffic to Message Labs and have the email delivered directly in to Exchange. If you have some jobsworth "security" consultant who insists on nothing internet facing being inside the domain (if he does, shouldn't really be in the job), then stand up a standard Windows 2003 server or similar and use it to relay email in.

              Simon.
              i was referring to having an edge server w/o a 3rd party filter in place. i only brought up ML to add that i wouldnt use an edge server due to the 3rd party service i have, now.

              i have my firewall configured to only allow SMTP traffic from the ML ranges.

              but my question was answered.

              however, you did throw me off with this comment

              "then stand up a standard Windows 2003 server or similar and use it to relay email in. "

              if i were to setup exchange 2010, i would not use an edge server, i would stick with my 3rd party service, which is ML.

              thanks.

              Comment

              Working...
              X