locked
Edge Transport design help RRS feed

  • Question

  • Currently we have exchange 2010 installed and working fine.  We have two servers one is a CAS server and the other is both Mailbox and Hub Transport.  The Hub Transport/Mailbox server is NATed through our Firewall to allow SMTP connections for email flow in and out.  I'm not really happy with the security of this and i'm looking to implement an Edge Transport server within our DMZ.  I have installed this server already with the Edge Transport role but haven't configured it yet.  This server will be NATed on to a different external IP address than the current Hub/mailbox server, which i will then need to update our content filtering services at Symantec Cloud to reflect this.  What i'm wondering is when i configure the Edge Transport will the current Send and Receive connectors be copied across to the Edge Transport and email will flow without any problems?  I will be doing this out of business hours so a little down time is to be expected.

    Also i don't want to use the Edge Transport as anything but a proxy that sits in the DMZ and transfers emails from the internet to our network.  How do i configure the Edge Transport in regard to this ie the Anti-spam tab has lots of enabled features, can i just disable these?

    Currently we are using Symantec Cloud for Anti-spam and the like but will be moving to Mimecast shortly, hence the reason for looking at this now.  Is there anything i need to know about using the Edge Transport with Mimecast?

    Another question is:  Mimecast will use an LDAP connection into our network to get user details, can i use the ADLDS that is setup as part of the Edge Transport role for this or will i need to do some extra config on ADLDS for this to allow an external connection?

    If anyone could also point me in the direction of a good guide to set this up, that would be very helpful.

    Thanks

    Thursday, May 16, 2013 11:34 AM

Answers

  • It really boils down to each organisation.  All are different.   I have some customers that were doing this 10 years ago, but today they have changed and are not proxying from the DMZ.  Others still do.

    I would ask that you think about that this is really buying you - what extra security are you getting?  Email is accepted only from a trusted source, and the firewall restricts all other traffic. 


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by wendy_liu Friday, May 24, 2013 8:47 AM
    Thursday, May 16, 2013 1:07 PM
  • Hi

    If my clients have external hosted filtering or some sort of appliance performing this role then I recommend that they do not install an Edge server.  In reality it isn't providing you anything extra except for another layer of complexity when you are troubleshooting mail flow problems and an extra certificate that you need to take care of.

    As Rhoderick pointed out, your firewall should only allow port 25 from Symantec/Mimecast to your Exchange server, and your receive connector is configured the same way.

    Having said that, I have worked for organisations where the security policy states that no traffic should pass directly from the Internet to the Internal LAN and all inbound connections must terminate in the DMZ.  In this case an Edge server would be required (or some other SMTP gateway like Sendmail) but then they accept that their policy is going to cause them extra work and increase costs.

    Cheers, Steve

    • Proposed as answer by wendy_liu Friday, May 24, 2013 8:30 AM
    • Marked as answer by wendy_liu Friday, May 24, 2013 8:47 AM
    Thursday, May 16, 2013 2:08 PM

All replies

  • It will depend on how you set the Edge up. if you do Edgesync and subscribe the edge to the internal HUB then connectors will be created for you. You can disable the additional agents on edge if that is really what you want to do. And the ADAM / ADLDS instance on edge is only for Edge. It stores a few encrypted attributes from the internal AD structure (assuming that you are doing edgesync) and would not likely meet what you need Mimecast data for. I would ask why you consider the current config not so secure. Your email flows through a 3rd party Internet service, which will send to you on particular IPs. Your external firewall should only allow port 25TCP in/out to/from those IPs. What is it that edge is really giving you? Consider that Windows OS and Exchange is not tightly locked down and it's not 2001 and the days of Nimda/code red etc.

    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, May 16, 2013 11:57 AM
  • Thanks for the reply its very helpful.  Yes you are right in the current setup only port 25 is open between the Hub Transport server and the external IP address ranges of the 3rd party.  I'm just trying to make it as secure as possible, and i'm a little worried about having my Mailbox server connected directly to the internet even if its only one port that is open.  I would much sooner have externally connected servers within my DMZ.  Do you think i'm wasting my time and an Exchange server license?  I don't want to sound ungrateful for your advice but i'm also wondering what others take on this is, from a security point of view?

    Also thanks for the info on ADLDS.  So it looks like i will need to create a separate instance for what i need for the External LDAP connection to Mimecast?

    Thanks

    Thursday, May 16, 2013 12:29 PM
  • It really boils down to each organisation.  All are different.   I have some customers that were doing this 10 years ago, but today they have changed and are not proxying from the DMZ.  Others still do.

    I would ask that you think about that this is really buying you - what extra security are you getting?  Email is accepted only from a trusted source, and the firewall restricts all other traffic. 


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by wendy_liu Friday, May 24, 2013 8:47 AM
    Thursday, May 16, 2013 1:07 PM
  • Hi

    If my clients have external hosted filtering or some sort of appliance performing this role then I recommend that they do not install an Edge server.  In reality it isn't providing you anything extra except for another layer of complexity when you are troubleshooting mail flow problems and an extra certificate that you need to take care of.

    As Rhoderick pointed out, your firewall should only allow port 25 from Symantec/Mimecast to your Exchange server, and your receive connector is configured the same way.

    Having said that, I have worked for organisations where the security policy states that no traffic should pass directly from the Internet to the Internal LAN and all inbound connections must terminate in the DMZ.  In this case an Edge server would be required (or some other SMTP gateway like Sendmail) but then they accept that their policy is going to cause them extra work and increase costs.

    Cheers, Steve

    • Proposed as answer by wendy_liu Friday, May 24, 2013 8:30 AM
    • Marked as answer by wendy_liu Friday, May 24, 2013 8:47 AM
    Thursday, May 16, 2013 2:08 PM