Jump to content



Photo

Exchange 2010 Transport Server in Hyper V?

windows server exchange

  • Please log in to reply
9 replies to this topic

#1 KENNY P

KENNY P

    Neowinian

  • Joined: 24-May 12

Posted 16 December 2012 - 09:33

One of my customers is having us setup an Exchange 2013 cluster with Windows Server 2012, but they want us to use a DMZ Network on their firewall.

Because the server roles have changed, and Exchange will need Active Directory services, we're wondering if the best case scenario to meet there security expectations is to create a Virtual machine with Exchange 2010 transport roles in the DMZ.

Will this setup/configuration work or is this not recommended?

Will any ports have to be opened for the 2010 transport server to communicate with active directory?


#2 OP KENNY P

KENNY P

    Neowinian

  • Joined: 24-May 12

Posted 16 December 2012 - 16:38

Anyone care to chime in?

#3 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 23
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 16 December 2012 - 20:25

depending on how the dmz is setup, you will need ports 25 (for mail in and out), 50389 and 50636 (these two ports are for secure active directory) and if you want to manage with rdp 3389. You will be fine with putting this in a vm server.

#4 OP KENNY P

KENNY P

    Neowinian

  • Joined: 24-May 12

Posted 16 December 2012 - 21:06

depending on how the dmz is setup, you will need ports 25 (for mail in and out), 50389 and 50636 (these two ports are for secure active directory) and if you want to manage with rdp 3389. You will be fine with putting this in a vm server.

Thanks dude.... now is the Transport Server what we need to make this work with the DMZ? I'm installing Hyper V/Server 2k8 with Exchange 2k10 as we speak.....

#5 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 23
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 16 December 2012 - 21:36

Yes that is fine.

#6 OP KENNY P

KENNY P

    Neowinian

  • Joined: 24-May 12

Posted 16 December 2012 - 21:57

What we want is to place the edge transport server in the DMZ with the least amount of open ports to meet the company's network security policies.

Can this server be a standalone server that is not a member of the domain with it's only purpose is to be a transport server?

#7 duddit2

duddit2

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 24-January 10
  • Location: Manchester UK
  • OS: Windows 8 Pro

Posted 16 December 2012 - 22:14

Would you be wanting an edge transport server role then? Your wanting to simply have something in the DMZ to accept traffic on port 25 and perform simple spam/security checks which isn't AD reliant?

I think you maybe confusing Edge transport (not AD reliant and made for DMZ) with hub transport (AD Reliant, needs to be 'inside')?

#8 duddit2

duddit2

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 24-January 10
  • Location: Manchester UK
  • OS: Windows 8 Pro

Posted 16 December 2012 - 22:26

Exchange 2010 Edge Transport


Edge Transport is an optional role that can be installed to prevent spam and virus. This role is meant to replace spam filtering devices such as Barracuda Spam firewall and Symantec mail security. This role is installed on a stand-alone server (workgroup) and uses ADAM to sync LDAP data from Active directory. This allows recipient filtering on Edge Transport server.


#9 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 23
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 16 December 2012 - 22:39

You shouldn't need it to be, however, I have never seperated the CAS from the TS. The CAS needs to be a member of active directory.

#10 duddit2

duddit2

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 24-January 10
  • Location: Manchester UK
  • OS: Windows 8 Pro

Posted 16 December 2012 - 22:51

What we want is to place the edge transport server in the DMZ with the least amount of open ports to meet the company's network security policies.

Can this server be a standalone server that is not a member of the domain with it's only purpose is to be a transport server?


Sorry for my earlier posts, juts seen this of yours where you clearly state you want to put the Edge transport role in the DMZ.

You'll need to configure ADAM (Active Directory Application Mode) so that the edge transport server (workgroup not domain member) can 'talk' to AD and filter recipients correctly.



Click here to login or here to register to remove this ad, it's free!