CAS on EDGE Server
In my network we use mapped ips from public to private, and then filter the ports for mail and SSL. The problem I have is I am trying to deploy an edge server and when I forward to that mapped IP it also forwards the SSL traffic. So none of my outside client access will work. Without deploying a CAS on that edge server, is there any other way to do this? Would it be an issue if I installed the CAS role on the edge server, or even possible. This is not on a promoter network this is mostly just for spam filtering. Thanks for your help.
December 14th, 2010 12:44pm

Edge is designed to take the place of traditional spam filtering appliances which are usually sitting in a DMZ and are not a part of the domain. If that theory was followed then putting CAS on there would not be possible because CAS has to be a part of the domain, not to mention I wouldnt recommend it either way. Depending on your firewall it should be able to forwarding or reverse nat/pat the IP based on the protocol. Forwarding port 25 traffic on that IP to the Edge, and all other traffic to a reverse proxy or CAS server if none exists. To allivate this you could deploy a Forefront Threat Management Gateway (TMG) 2010 server (would require two nics) in the DMZ (keep the edge in the dmz also) and send all traffic to the TMG server then create publishing rules for web services and smtp to point to the correct server. TMG can do filtering of SMTP traffic as well as many other things but at very least could be an alternate solution for you if the firewall configuration I mentioned above will not work for you. hth Chris Morgan
Free Windows Admin Tool Kit Click here and download it now
December 14th, 2010 12:53pm

You cannot install the CAS role onto an Edge server. Moreover, you cannot put the CAS role in the DMZ where an Edge server would typically be. You dont direct TCP443 at an Edge and you dont direct TCP25 at a CAS so there isnt a conflict. "AllanHill" wrote in message news:b8baeb20-d8ef-4457-b7ab-2378d3a85952... In my network we use mapped ips from public to private, and then filter the ports for mail and SSL. The problem I have is I am trying to deploy an edge server and when I forward to that mapped IP it also forwards the SSL traffic. So none of my outside client access will work. Without deploying a CAS on that edge server, is there any other way to do this? Would it be an issue if I installed the CAS role on the edge server, or even possible. This is not on a promoter network this is mostly just for spam filtering. Thanks for your help. Mark Arnold, Exchange MVP.
December 14th, 2010 2:06pm

Deploy HUB & CAS on the same server. Install Antispam agent on HUB. Hub will have function like EDGE server.
Free Windows Admin Tool Kit Click here and download it now
December 14th, 2010 3:33pm

after I thought about it I think that the HUB and CAS is the best way to go thanks all
December 14th, 2010 4:38pm

Yes, the Edge has a pretty narrow use case for many people. I rarely see it "AllanHill" wrote in message news:3b8a877e-d6ee-424c-823b-a5486f338c17... after I thought about it I think that the HUB and CAS is the best way to go thanks all Mark Arnold, Exchange MVP.
Free Windows Admin Tool Kit Click here and download it now
December 15th, 2010 8:01am

Edge has to be deployed in the DMZ while mailbox, hub, cas, and um must be internal.
January 5th, 2011 3:55pm

Edge has to be deployed in the DMZ while mailbox, hub, cas, and um must be internal. Edge does not "have" to be deployed in a DMZ, but this is indeed the intent. Mike Crowley Check out My Blog!
Free Windows Admin Tool Kit Click here and download it now
January 5th, 2011 4:26pm

Something not mentioned here is deploying TMG 2010 and Edge 2010 together. TMG can then proxy OWA. http://www.msexchange.org/articles_tutorials/exchange-server-2010/migration-deployment/exchange-server-2010-edge-server-microsoft-threat-management-gateway.html Mike Crowley Check out My Blog!
January 5th, 2011 4:26pm

Deploy HUB & CAS on the same server. Install Antispam agent on HUB. Hub will have function like EDGE server. With the exception of security. Edge uses AD LDS which contains a subset of recipient data, not all of AD's protected database info. Mike Crowley Check out My Blog!
Free Windows Admin Tool Kit Click here and download it now
January 5th, 2011 4:28pm

Well yes, but it would have to be a WERY big HOLE, that could someone read data, by connecting to smtp port. I thing that CAS server is much hacker friendly option with dot net, Silverlight, IIS, ECP, PowerShell, and other at the moment security wise options. The only and I think THE ONLY reason deploying EDGE server in most environments is in situation when organization have A LOT of SMTP traffic and massage hygiene. By the fault, server will have to coupe with heavy work, and it won`t be possible to deploy HUB&CAS together. So in a sense, from price wise and false security, you will have to deploy another HUB server, and that server can be EDGE. It cost the same if you deploy EDGE or HUB.
January 5th, 2011 4:48pm

Edge has to be deployed in the DMZ while mailbox, hub, cas, and um must be internal.
Free Windows Admin Tool Kit Click here and download it now
January 5th, 2011 11:54pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics