A little confused with how to design security around exchange 2007. Typically would put ISA in DMZ and Front Ends in DMZ - SMTP and OWA servers. Is it now best practice to put Edge server in DMZ and not use ISA?

Well, Edge Server will not replace ISA in functionality, Edge is an Antispam/Antivirus Server, and ISA is a firewall by its nature, and for Exchange Roles Publishing (OWA, Outlook Anywhere, ActiveSync, ... etc), which can't be done by Edge. you can't replace ISA with Edge. my advice to you, to keep ISA for Exchange Publishing, and you can use it for your clients as proxy server, and use Edge as the first Email Internet Facing Server where all your emails recieved by Edge, then Edge will apply certain roles and filtering for Antispam, Antivirus, Compliancy and company regulatory roles as well. please let me know if you need more help. Regards Alaa

Alaa, First off very helpfull, havent done an exchange engagment for awhile. Do I actually need an edge server if I have a simple design, 5K users - one back end cluster two smtp and two owa servers, not sure why I would need the edge server? Is MS doing away with all the FE/BE terminology? Thanks,

Edge is is an optional Exchange 2007 server role and is not neccesary for your system to function, but it is good to have specially if you dont have a similar product already. MS is not moving away from FE/BE. Exchange 2007 Mailbox server role is what you can call a BE server, and Exchange 2007 CAS (Client Access) is the new Front End server. CAS does more than the old FE server did. Read more about Exchange 2007 server roles. http://msexchangeteam.com/archive/2006/09/12/428880.aspx

No extra information can provide more than what lasse did . its good to have Edge Server on your network if you don't have Antivirus or Antispam Email system. if you don't have similar system then i do recommend implement Edge in your network, with ForeFront Security for Exchange. both are the best together. Regards Alaa

The client currently uses outside source postini for all spam and content filtering and will remain to do so. So I guess there would be no need for edge server. Does this mean that postini would just point to backend mailbox server somehow? So there would only be two owa servers and one mailbox cluster for the design, thanks, Alaa Alian Al-Ankar wrote: No extra information can provide more than what lasse did . its good to have Edge Server on your network if you don't have Antivirus or Antispam Email system. if you don't have similar system then i do recommend implement Edge in your network, with ForeFront Security for Exchange. both are the best together. Regards Alaa

Then Postini should point to one or multiple of your HUB servers. If you build a mailbox server cluster then you cannot install any other Exchange server roles onto those servers, you must install other servers with CAS and HUB server roles. ex. 2 MB server roles in a cluster (Single Copy or Continious replication) cluster. 2 other servers with both CAS and HUB roles installed on both.Configure NLB on port 443 to make funtions that runs in IIS redundancy This would give you a total of 4 servers and the system is redudant and can loose one MB server and one CAS/HUB server. You can of course separate CAS and HUB on separate servers but then you need 2 more servers. This may be needed if you have a high volume of mail.

Thanks, I just wanted to be very clear that I can run the HUB server on a OWA server... since the design will just be two OWA servers and one backend mailbox cluster. Can the HUB server be on multiple servers or would it just run on one of the OWA servers, thanks much,

HUB server role should be installed on 2 or more servers. This will make your system both loadblanced and fault tolerant regarding of SMTP and mail delivery

Hi, as Lasse said, you need two HUB Servers to Load Balanced internal as external mail flow request (SMTP Request). from internal, Active Directory is managing this process, but from outside you need to add a mechanizim to load balance SMTP request, the best way to do it is to enable Round Robin DNS feature for your external MX Reacord, i am not sure if your external Antispam or Antivirus system can Round Robin the SMTP Request between the Two HUB Servers or not, if yes, then you need to configure it to do so, and if not, then you need to configure External DNS Source in your DMZ Area to make your Antispam System resolve your external domains from, and you need to configure a zone for your domain as well, where you configure the Round Robin DNS Records thier. please let me know if you need more information about this specific issue or Round Robin issue. Regards,