Exchange 2010 Transport Server in Hyper V?

[KENNY P]

One of my customers is having us setup an Exchange 2013 cluster with Windows Server 2012, but they want us to use a DMZ Network on their firewall.

Because the server roles have changed, and Exchange will need Active Directory services, we're wondering if the best case scenario to meet there security expectations is to create a Virtual machine with Exchange 2010 transport roles in the DMZ.

Will this setup/configuration work or is this not recommended?

Will any ports have to be opened for the 2010 transport server to communicate with active directory?

[KENNY P]

Anyone care to chime in?

[sc302 Veteran]

depending on how the dmz is setup, you will need ports 25 (for mail in and out), 50389 and 50636 (these two ports are for secure active directory) and if you want to manage with rdp 3389. You will be fine with putting this in a vm server.

[KENNY P]

depending on how the dmz is setup, you will need ports 25 (for mail in and out), 50389 and 50636 (these two ports are for secure active directory) and if you want to manage with rdp 3389. You will be fine with putting this in a vm server.

Thanks dude.... now is the Transport Server what we need to make this work with the DMZ? I'm installing Hyper V/Server 2k8 with Exchange 2k10 as we speak.....

[sc302 Veteran]

Yes that is fine.

[KENNY P]

What we want is to place the edge transport server in the DMZ with the least amount of open ports to meet the company's network security policies.

Can this server be a standalone server that is not a member of the domain with it's only purpose is to be a transport server?

[duddit2]

Would you be wanting an edge transport server role then? Your wanting to simply have something in the DMZ to accept traffic on port 25 and perform simple spam/security checks which isn't AD reliant?

I think you maybe confusing Edge transport (not AD reliant and made for DMZ) with hub transport (AD Reliant, needs to be 'inside')?

[duddit2]

Exchange 2010 Edge Transport

Edge Transport is an optional role that can be installed to prevent spam and virus. This role is meant to replace spam filtering devices such as Barracuda Spam firewall and Symantec mail security. This role is installed on a stand-alone server (workgroup) and uses ADAM to sync LDAP data from Active directory. This allows recipient filtering on Edge Transport server.

[sc302 Veteran]

You shouldn't need it to be, however, I have never seperated the CAS from the TS. The CAS needs to be a member of active directory.

[duddit2]

What we want is to place the edge transport server in the DMZ with the least amount of open ports to meet the company's network security policies.

Can this server be a standalone server that is not a member of the domain with it's only purpose is to be a transport server?

Sorry for my earlier posts, juts seen this of yours where you clearly state you want to put the Edge transport role in the DMZ.

You'll need to configure ADAM (Active Directory Application Mode) so that the edge transport server (workgroup not domain member) can 'talk' to AD and filter recipients correctly.