Design critique / advice please. - Several basic questions.

  • Thread starter Norm Allen
  • Start date Views 782
Status
Not open for further replies.
N

Norm Allen



Greetings,

I'm new to Exchange, setting up a fresh 2010 install. I currently have GW7 running and am using Messaging Architects M+Guardian appliance as a filter to bi-directionally relay external mail. I have M+Guardian ready to roll, pointing to the internal IP of our single Exchange 2010 server.

Here are my questions on relaying..

1) Where in Exchange do I tell the server to relay external mail to our M+Guardian device?

2) Where do I tell Exchange to only accept mail (from external domains) from our M+Guardian device?

I also have questions on OWA and ActiveSync... - From what I understand, if I want to offer OWA and ActiveSync out into the cloud I need to publish them via TMG. - Is this correct?

I have an '08 Server ready to go with TMG 2010. It has 2 NIC's, one in the DMZ and another on an internal subnet. - What role(s) do I need running where?

In a nutshell, this is a very rough graphical view what I have:

Exchange 2010 (internal, no direct access from internet) < ---- > M+Guardian (in DMZ) < --- > {Internet}
^
|
â”” ------- > TMG 2010 < ---- > {Internet}

M+Guardian and TMG have separate public IP's with corresponding DNS entries. - All mail traffic from the outside world is directed to look at M+Guardian. OWA will have its DNS pointed to the TMG but I'm not sure what to do with ActiveSync given that I want to filter mail bi-directionally through M+Guardian.

Many thanks in advance!

Norm
 
L

Lorenzo Soncini



1) Where in Exchange do I tell the server to relay external mail to our M+Guardian device?

You need use a SEND-CONNECTOR (EMC - Organization -Transport Hub)
2) Where do I tell Exchange to only accept mail (from external domains) from our M+Guardian device?

Using the receive connector (EMC - Server Configuration - Transport Hub)

Publishing owa or actyvesync require access from internet to the CAS role server. You need TMG2010 or other "reverse proxy" to secure the access and not expose directly to internet the CAS server.

the schema you are reported is correct

Lorenzo Soncini
 
B

Brian Desmond -MVP-



Norm-

All mail inside of Exchange flows via the Hub Transport boxes at some point. You can't however have the HT server loop the external appliance in to that unless the appliance can plug-in to the transport pipeline. Thus for internal mail you're still going to want to look at an Exchange aware a/v product installed on the Hub Transport servers.

You can do OWA/ActiveSync without TMG and just punch a hole for SSL striaght through to the CAS box. TMG gives you some added benefit but it's not required. Not sure why you would point to TMG for DNS though either way.

Active Directory, 4th Edition - www.briandesmond.com/ad4/
 
N

Norm Allen



Thank you very much Lorenzo!

I'll probably get with a support vendor just to go over everything and double-check but your help has me on my way for now.

Norm
 
N

Norm Allen



Thanks Brian,

M+Guardian is a GW & Exchange aware device. - I will be processing mail through both until such time as I can cut GW.

It may be an outdated methodology but the only holes I want punched are to go to devices in the DMZ.

DNS pointing to TMG would be for OWA (owa.org.tld) and perhaps ActiveSync..

Thanks again,

Norm
 
Status
Not open for further replies.
Top