locked
Exchange Edge in double DMZ RRS feed

  • Question

  • For security reasons we have 2 DMZ (pre-dmz and dmz)

    Is it possible to use 2 edge servers  (one in DMZ and other in pre-dmz) before smtp traffic reach internet?

    Thursday, August 30, 2018 10:01 AM

Answers

  • Hi Oro_Blu, 

    Yes this is possible but do not subscribe the exchange edge servers in you pre DMZ. 

    So basically what you do is built your DMZ edge servers and subscribe them to your onprem exchange servers as you would normally do.

    Next build you pre DMZ servers and install stand alone edge servers on these machines. Now configure the send and receive connectors of the pre DMZ and DMZ to only trust each other on ip basis in the connectors.. 

    next configure the domains you need on the Pre DMZ machine and have those on the connector pointed to the DMZ edges. and have  the * connector pointing toward internet. 

    In a nutshell it does not matter what is running in Pre-DMZ it can be a appliance or a edge server as long as it is stand alone. 


    MCSA exchange 2016 | MCTS exchange 2013 | MCTS-MCITP exchange 2010 | MCTS-MCITP Exchange: 2007 | MCSA Messaging: 2003 | MCP windows 2000

    Thursday, August 30, 2018 12:39 PM

All replies

  • Hi Oro_Blu, 

    Yes this is possible but do not subscribe the exchange edge servers in you pre DMZ. 

    So basically what you do is built your DMZ edge servers and subscribe them to your onprem exchange servers as you would normally do.

    Next build you pre DMZ servers and install stand alone edge servers on these machines. Now configure the send and receive connectors of the pre DMZ and DMZ to only trust each other on ip basis in the connectors.. 

    next configure the domains you need on the Pre DMZ machine and have those on the connector pointed to the DMZ edges. and have  the * connector pointing toward internet. 

    In a nutshell it does not matter what is running in Pre-DMZ it can be a appliance or a edge server as long as it is stand alone. 


    MCSA exchange 2016 | MCTS exchange 2013 | MCTS-MCITP exchange 2010 | MCTS-MCITP Exchange: 2007 | MCSA Messaging: 2003 | MCP windows 2000

    Thursday, August 30, 2018 12:39 PM
  • Thank you.
    Friday, August 31, 2018 10:02 AM
  • If we put 2 Exchange  2016 MBX emprty server in PRE-DMZ will still work?

    We need to realy hybrid Exchange traffic between Exchange Online and Our DAG on premise , and we have to requirements:

    - from our customer: we need to put a device or server to process mail in DMZ and pre DMZ

    - from MS: we cannot put third part relay (a edge not in sync it's a third part relay)  in hybrid smtp traffic.

    Thursday, September 6, 2018 10:51 AM