Edge Transport 3rd party mail filter before Exchange 2010

  • Thread starter smurfman
  • Start date Views 1,512
Status
Not open for further replies.
S

smurfman

MODEL: I want to have Edge 2010 running in DMZ behind a TMG server (no TMG for Exchange) - presumably mail will flow inbound port 25 to external NIC --> TMG allows to Edge --> Edge Sends to Internal network where 3rd pary filter is running --> 3rd party filter then passes to Exch Hub Transport (after passing rules).
Will Edge Sync still work? Does the Edge Subscription Mean anything now? Will Edge Transport still be able to send to internal network?

In other words - what happens when something else is inbetween Edge Transport grabbing port 25 mail and then relaying to Exch 2010

Thanks

J
 
S

Sembee [MVP]

What is the point in having Edge? If you are using a third party product to filter email then why not have email delivered straight to that. It then passes it to the internal Hub transport. Edge is designed to do the filtering for you, meaning that you don't have another product involved, or if you do it is integrated with Exchange, not running its own SMTP engine.

Simon.

Simon Butler, Exchange MVP
Blog | Exchange Resources
 
B

Brian Day MCITP

There are still some things Edge can do in this kind of deployment, although I'd personally not recommend it. You could put a 3rd party filtering application on the hub transport if you wanted a non-MS application somewhere in the SMTP pipeline.

1. If filtering is enabled, reduce the load hitting the 3rd party device.

2. User consolidated block/allow lists (Although the 3rd party device could mess up the allowed mail)

3. Edge-only Transport Rules

4. Shared namespace routing

5. Address re-writes (as long as Hub sends out through it)

6. Immediate filtering out of bad recipients

Microsoft Premier Field Engineer, Exchange
MCSA 2000/2003, CCNA
MCITP: Enterprise Messaging Administrator 2010
Former Microsoft MVP, Exchange Server
My posts are provided "AS IS" with no guarantees, no warranties, and they confer no rights.
 
S

smurfman

To start - we already had a filtering solution in place, licensed etc etc. But the 3rd party filtering solution is great for outing mail as well, before it even leave the organizaiton, I can also control who is permitted to relay off the server internally, and we use this greatly for many kinds of notifications and alerts. Custom rules are also built to digest the contect of mail - for example search a database of customer identification information - before the mail is even allowed to leave, strip attachments and so forth. I am sure that Edge also allows me to some of these things, but the idea is that edge is out in a DMZ which means mail woudl have had to leave the organization before finding out.

Edge also affords me a smarter host in the DMZ for my filtering agent use true source IP address lists and other tools to block/kill - my goal was to go from a dumb virtual SMTP box in a DMZ to a smart host that could also handle re-queing properly and NDR reports better for compliance.

In my model - the HUB listens only to the 3rd party engine for SMTP and sends to the same engine, from there the 3rd party software woudl send to Edge.

But as you mentioned, I wanted to leverage Edge to kill more mail at the perimiter, then the second layer of filtering would protect both the incoming mail, but also outgoing. (Items 1 and 6 above)

Bottom line is that Edge will still work to send to the SMTP listener - what woudl I have to expect in this model.

And could you explain a couple of the other options you mention above. (2, 3, 4, 5)

Thanks

J
 
S

Sembee [MVP]

As far as I am aware, Edge will want to deliver straight to Exchange, not to another product that is listening for SMTP traffic.

If your third party product isn't Exchange integrated (which it isn't if it has its own SMTP engine) then why don't you put that in the DMZ? If it is running its own SMTP engine, then do the internal Exchanges deliver to it via some kind of smart host? If so, then it has left your Exchange org, so there is no reason not to put it in the smart host.
I am really struggling to see why you are even considering Edge in this scenario, other than you have an investment in another product, which doesn't do everything that you need, but don't want to write it off.
Any decent antispam application should be able to do recipient validation using LDAP, if it cannot then I wouldn't even consider it. Recipient Validation can knock out over 70% of spam email in some cases.

The other functionality of Edge, I can do without, or achieve with third party tools for a lot less than an additional Exchange licence. Consolidated safe senders from the Outlook clients is the only thing I can't, and that isn't something I will miss too much.

Simon.

Simon Butler, Exchange MVP
Blog | Exchange Resources
 
G

Gavin-Zhang

Hi smurfman,
Sembee gave some good suggestion, I totally agree with him.
If you want to deploy the thirdparty product, I would plan it as below:
inboundemail -> the third party product -> edge server -> hub server
That means the third party product act as a smtp filter gateway.
Regards!
Gavin
 
Status
Not open for further replies.
Top