I have a project I'm starting tonight and want to know if I have the steps correct before I start. Currently we have three Exchange 2003 servers, two in a cluster and one installed in our DMZ that hosts OWA. The Exchange 2003 server in the DMZ also is setup as a bridgehead so all outbound mail goes through it. We are adding a mail security appliance that scans both inbound and outbound mail; this too will be in the DMZ. This is also in preparation for migration to Exchange 2010. What I want to know is will the following steps work or am I missing something. (First I configure the appliance to forward inbound mail to the Master Exchange Server and to send received mail from Exchange Server to the Internet) Next I uninstall Exchange from the OWA/Front End Exchange Server, verify it was removed from the org and turn off/unplug the NIC of the server. Next modify the SMTP connector in the Routing group that points to the front end server and point it to the appliance. Turn on the appliance. The front end OWA server held the IP address that our MX record was pointing to. There was an anti spam application running on that box that received mail so everything worked. We gave the appliance the same address as the front end/OWA server which will be removed prior to turning on the appliance so the MX record will point to the appliance. Once this is completed we will start our 2010 migration. Will this work? Did I forget any steps? Any help will be appreciated. Ken

Looks like we won't do this tonight since there was no feedback. Hopefully one of the experts here can review the above and tell us if it looks good so we can give it a try tomorrow.

First, you need to put the frontend server back where it belongs, and that is inside your network. Putting Exchange in a DMZ does nothing to increase the security of your network, it just turns your firewall in to swiss cheese. Fortunately on Exchange 2010, the only role that is supported in a DMZ is Edge. If you are going to use an antispam appliance, then what you have outlined should work, if the appliance is setup correctly. Hopefully it can do recipient validation, if not, or you are not sure, then ensure that you have reviewed the settings and ensured that LDAP (Which is the usual method) is working correctly. How is your SMTP connector configured at the moment? You say it points to the frontend server. Does that mean it is using the frontend server as a smart host (bad idea) or the frontend server is the bridgehead? If the latter then just change the bridgehead to one of the backend servers and change it to use a smart host. You don't have to touch your existing Exchange servers at all. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Thanks for the reply Simon. The front end server in the DMZ is the bridgehead and also OWA server. It is going away because 2010 does not support OWA in the DMZ. So instead of trying to make both OWA versions work together we are getting rid of the old one and will install a 2010 CAS server and publish it to the DMZ through TMG 2010 server. Our remote users prefer XenApp to webmail anyway so not an issue removing OWA for now. The appliance is a Sophos and does support Recipient Validation so we should be good there. How is your SMTP connector configured at the moment? Front end server is the bridgehead server not a smart host. Our two Exchange servers share one name space (active/passive cluster) so you're saying make the clustered servers the bridgehead? I checked and it does show the clustered name when clicking the add bridgehead button. Was missing this step totally. I was going to remove the bridgehead and not add one. Thanks for your help. Ken