Hello, we are getting ready to mirgrate from Win 2003 SBS to a "standard" win 2008 Active Directory with Exch 2010 on a seperate server. Before I knew much about Exch 2010 we were planning on having the OWA on a front end server (one of the reasons we wanted to get away from SBS) and now I see that it is no longer a Front end and the new Outlook Web App runs on the CAS. We are a small organization and want to avoid purchasing new servers as much as possible but we also want to have security. We currently do not have a perimeter network setup so this fron end server was just going to sit on the "outside" with other web apps. Is having all three Exchange roles on one server that is on the internal network a good idea? Are there risks involved with this setup? We only have the Exch standard edition so we do not have the Edge server. Or should we seperate the CAS server role on a completely seperate server that would still be on our internal network? Thanks!

The only way that you can increase your security is with a separate server running TMG to publish Exchange to the Internet. That could sit in a DMZ. Having a separate server on your internal network does nothing for your security (neither does a frontend server in Exchange 2003). Separate servers are usually deployed for load reasons or because you have multiple mailbox servers. Personally I see no problem in having all roles on the same box and the traffic coming to the server directly on the Internet. I have many installations configured in that way. As long as the server is built correctly, fully patched and is correctly maintained, then it shouldn't been issue. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Hi, It is better to install the Internet-facing CAS and hub transport role in one machine and place mailbox role in a separate Exchange machine which only has internal network interface. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT

As of now we do not have a DMZ. Our network is sitting behind a Cisco ASA in which we have rules setup on the firewall to allow certain traffic in our network. So far it looks like my options are: 1. Leave all roles on one server and create a rule to allow the http/https into the Exchange server. 2. Create 2 servers, one with the mailbox role and the other with the Hub and CAS roles installed. In this option would it make any sense to have 2 NICs on the CAS server with one connected directly from the outside or just have one NIC with firewall exceptions for the OWA? We just went through our server getting blacklisted (I believe from an AUTH SMTP type of spammer) and am a little nervous about creating more vulnerabilties for our network. I just started here a few months ago and there are still issues of neglect that are revealing themselves and with not much experience in network security I'm treading lightly (although there is nothing like On the Job Training). Eventually we plan on setting up a DMZ but since this is a small organization it is not in the budget right now. Thanks for your help!

You can't put any other role than Edge in a DMZ, and Edge is a waste of money in my opinion. Separating the roles is not done for security, it is only done for load, for example where you have multiple mailbox servers. If you are coming off SBS then you aren't that large, so a single server would be fine. You only need port 25 and 443 through the firewall. Using single or multiple servers wouldn't stop you getting blacklisted if the server is configured correctly. Authenticated relaying can be turned off, it isn't required by most users. If you also enable the antispam filters then you can configure recipient validation, which will stop another major reason for blacklisting. Dual homing Exchange also causes more problems than it resolves and isn't something I would recommend. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Thanks for the replies. We'll go ahead and install it on one server and lock it down as much as we can. At least it will no longer be on the same server as our domain controller, file shares, ect..