none
Excahnge server hosted in DMZ vlan RRS feed

  • Question

  • Team,

    One of the customer is planing to host new Exchange 2013 server in DMZ vlan instead of server vlan where my AD is residing at l3 switch. Please comment is this design will work . In case not than what will be challenge and in case of mail flow and client coneectivity.

    Wednesday, November 4, 2015 1:06 PM

Answers

  • Hi Raritan,

    I would like you know, why are they planning to keep the non Edge Exchange Server in DMZ. What is the reason behind this decision.

    Figure 1: Legacy Exchange 2003 deployment with Front-End server in a perimeter network. What a mess. Who’s hungry?

    Please note that "Microsoft doesn't test or support any topologies which put firewalls between a CAS and a Mailbox (MBX) server." Hence you go ahead with the plan and something goes wrong, you can't take help from MS support on this.

    Don't put CAS in the Perimeter network! - 2009

    Exchange, Firewalls, and Support… Oh, my!

    Exchange Server static port mappings - Search for 'DMZ'


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by Satyajit321 Thursday, November 5, 2015 7:09 AM
    • Marked as answer by Raritan Friday, November 20, 2015 6:45 AM
    Thursday, November 5, 2015 7:08 AM

All replies

  • Team,

    One of the customer is planing to host new Exchange 2013 server in DMZ vlan instead of server vlan where my AD is residing at l3 switch. Please comment is this design will work . In case not than what will be challenge and in case of mail flow and client coneectivity.

    it is not supported to have anything restricting traffic between your Exchange Servers (Mailbox and CAS) and between your Exchange Servers and domain controllers.  They must reside on your corporate network.  The only role that is supported to be in the DMZ is the Edge Transport role.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    Wednesday, November 4, 2015 2:20 PM
  • Hi Raritan,

    Thank you for your question.

    I agree with above suggestion, Exchange server (not include Edge server) depend on domain controller, but the server which is in DMZ didn’t join DC owning to security. So we must place Exchange in internal organization.

    Exchange Edge server should be placed in DMZ.

    Best Regard,

    Jim Xu

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Thursday, November 5, 2015 2:01 AM
    Moderator
  • Hi Raritan,

    I would like you know, why are they planning to keep the non Edge Exchange Server in DMZ. What is the reason behind this decision.

    Figure 1: Legacy Exchange 2003 deployment with Front-End server in a perimeter network. What a mess. Who’s hungry?

    Please note that "Microsoft doesn't test or support any topologies which put firewalls between a CAS and a Mailbox (MBX) server." Hence you go ahead with the plan and something goes wrong, you can't take help from MS support on this.

    Don't put CAS in the Perimeter network! - 2009

    Exchange, Firewalls, and Support… Oh, my!

    Exchange Server static port mappings - Search for 'DMZ'


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by Satyajit321 Thursday, November 5, 2015 7:09 AM
    • Marked as answer by Raritan Friday, November 20, 2015 6:45 AM
    Thursday, November 5, 2015 7:08 AM
  • Hi Raritan,

    I would like you know, why are they planning to keep the non Edge Exchange Server in DMZ. What is the reason behind this decision.

    Figure 1: Legacy Exchange 2003 deployment with Front-End server in a perimeter network. What a mess. Who’s hungry?

    Please note that "Microsoft doesn't test or support any topologies which put firewalls between a CAS and a Mailbox (MBX) server." Hence you go ahead with the plan and something goes wrong, you can't take help from MS support on this.

    Don't put CAS in the Perimeter network! - 2009

    Exchange, Firewalls, and Support… Oh, my!

    Exchange Server static port mappings - Search for 'DMZ'


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.



    Friday, November 20, 2015 6:46 AM