Edge Transport 3rd party mail filter before Exchange 2010

Not open for further replies.


MODEL: I want to have Edge 2010 running in DMZ behind a TMG server (no TMG for Exchange) - presumably mail will flow inbound port 25 to external NIC --> TMG allows to Edge --> Edge Sends to Internal network where 3rd pary filter is running --> 3rd party filter then passes to Exch Hub Transport (after passing rules).
Will Edge Sync still work? Does the Edge Subscription Mean anything now? Will Edge Transport still be able to send to internal network?

In other words - what happens when something else is inbetween Edge Transport grabbing port 25 mail and then relaying to Exch 2010



Sembee [MVP]

What is the point in having Edge? If you are using a third party product to filter email then why not have email delivered straight to that. It then passes it to the internal Hub transport. Edge is designed to do the filtering for you, meaning that you don't have another product involved, or if you do it is integrated with Exchange, not running its own SMTP engine.


Simon Butler, Exchange MVP
Blog | Exchange Resources

Brian Day MCITP

There are still some things Edge can do in this kind of deployment, although I'd personally not recommend it. You could put a 3rd party filtering application on the hub transport if you wanted a non-MS application somewhere in the SMTP pipeline.

1. If filtering is enabled, reduce the load hitting the 3rd party device.

2. User consolidated block/allow lists (Although the 3rd party device could mess up the allowed mail)

3. Edge-only Transport Rules

4. Shared namespace routing

5. Address re-writes (as long as Hub sends out through it)

6. Immediate filtering out of bad recipients

Microsoft Premier Field Engineer, Exchange
MCSA 2000/2003, CCNA
MCITP: Enterprise Messaging Administrator 2010
Former Microsoft MVP, Exchange Server
My posts are provided "AS IS" with no guarantees, no warranties, and they confer no rights.


To start - we already had a filtering solution in place, licensed etc etc. But the 3rd party filtering solution is great for outing mail as well, before it even leave the organizaiton, I can also control who is permitted to relay off the server internally, and we use this greatly for many kinds of notifications and alerts. Custom rules are also built to digest the contect of mail - for example search a database of customer identification information - before the mail is even allowed to leave, strip attachments and so forth. I am sure that Edge also allows me to some of these things, but the idea is that edge is out in a DMZ which means mail woudl have had to leave the organization before finding out.

Edge also affords me a smarter host in the DMZ for my filtering agent use true source IP address lists and other tools to block/kill - my goal was to go from a dumb virtual SMTP box in a DMZ to a smart host that could also handle re-queing properly and NDR reports better for compliance.

In my model - the HUB listens only to the 3rd party engine for SMTP and sends to the same engine, from there the 3rd party software woudl send to Edge.

But as you mentioned, I wanted to leverage Edge to kill more mail at the perimiter, then the second layer of filtering would protect both the incoming mail, but also outgoing. (Items 1 and 6 above)

Bottom line is that Edge will still work to send to the SMTP listener - what woudl I have to expect in this model.

And could you explain a couple of the other options you mention above. (2, 3, 4, 5)



Sembee [MVP]

As far as I am aware, Edge will want to deliver straight to Exchange, not to another product that is listening for SMTP traffic.

If your third party product isn't Exchange integrated (which it isn't if it has its own SMTP engine) then why don't you put that in the DMZ? If it is running its own SMTP engine, then do the internal Exchanges deliver to it via some kind of smart host? If so, then it has left your Exchange org, so there is no reason not to put it in the smart host.
I am really struggling to see why you are even considering Edge in this scenario, other than you have an investment in another product, which doesn't do everything that you need, but don't want to write it off.
Any decent antispam application should be able to do recipient validation using LDAP, if it cannot then I wouldn't even consider it. Recipient Validation can knock out over 70% of spam email in some cases.

The other functionality of Edge, I can do without, or achieve with third party tools for a lot less than an additional Exchange licence. Consolidated safe senders from the Outlook clients is the only thing I can't, and that isn't something I will miss too much.


Simon Butler, Exchange MVP
Blog | Exchange Resources


Hi smurfman,
Sembee gave some good suggestion, I totally agree with him.
If you want to deploy the thirdparty product, I would plan it as below:
inboundemail -> the third party product -> edge server -> hub server
That means the third party product act as a smtp filter gateway.
Not open for further replies.
Thread starter Similar threads Forum Replies Date
T Prerequisites softwares for installing exchange 2010 edge transport server on windows 2008 R2 Exchange Server Administration 1
J ex2010 edge transport - inbound from internet Exchange Server Administration 7
K Edge transport and TMG best practice NLB Exchange Server Administration 1
R Exchange 2010 Edge Transport server not passing emails... Exchange Server Administration 7
P Exchange 2010 Edge Transport Delays mail Exchange Server Administration 5
H Setting up an Edge Transport Server - Exch 2010 Exchange Server Administration 11
Z Hub Transport and Edge is not working as it should Exchange Server Administration 12
L Plethora of Event ID FAILs on the Edge Transport Exchange Server Administration 4
L Exchange server 2010 edge to hub-transport routing error Exchange Server Administration 9
M Looking for options and best practices for an Edge Server (Exchange or not) Exchange Server Administration 0
J Edge + TMG 2010 No email inbound/outbound and cannot telnet to port 25 on TMG Exchange Server Administration 0
J CPA cuts off left edge of printed Calendar. Ex. January the J is cut off. Calendar Printing Assistant 11
A Exchange 2010 SP1 Edge Server ( Content Filtering ) Exchange Server Administration 0
S Configure Exchange Edge 2010 on TMG in DMZ Exchange Server Administration 1
M join internet domain without edge server to the internal DC domain Exchange Server Administration 4
G Ex2010: Edge Sync / SynStatus Inconclusive? Exchange Server Administration 7
S Exchange 2003 coexistence with Exchange 2010 (Edge, OWA, Certificate, DNS considerations) Exchange Server Administration 3
S Edge 2010 and Forefront 2010 in DMZ Exchange Server Administration 12
S Edge 2010 and TMG on the same box Exchange Server Administration 1
S Forefront TMG Management Control 2010 on Edge Server. Exchange Server Administration 1
S how to print all emails sent and received via edge in 2010 Exchange Server Administration 13
M Re: How to force routing between two internal smtp domains across Two Edge servers Exchange Server Administration 7
M How to force routing between two internal smtp domains across Two Edge servers Exchange Server Administration 3
K Edge to Hub to Exchange 2003 Exchange Server Administration 4
K Edge SyncStatus: Inconclusive Exchange Server Administration 2
N Exchnage 2010 Hub Cas Edge Server Recovery Exchange Server Administration 3
K Edge Hub testing Exchange Server Administration 10
A Hub 2010 to Edge 2007 ( Last Error: 421 4.4.2 Connection dropped due to ConnectionReset ) Exchange Server Administration 3
D exchange 2010 edge smtp authentication Exchange Server Administration 7
J Transport Rule to detect Keyword question.. Exchange Server Administration 2
S Send email via SMTP - use transport rules to add to senders inbox (then rule to move to sent items Exchange Server Administration 1
Brian Murphy Exchange Online Everything a Transport Rule should do and cannot Exchange Server Administration 1
P Transport Agent or Rules/Connectors Exchange Server Administration 1
L Transport rule - append disclaimer Exchange Server Administration 1
G set exch 2010 server as the default hub transport Exchange Server Administration 6
S Hub transport ex2007 - monitoring inbound Exchange Server Administration 2
D How to manage and configure antispam updates for Hub Transport antispam filter agents at "filesystem Exchange Server Administration 1
P Exchange transport overheads Exchange Server Administration 4
P Exchange 2010 - Enable Spam filtering on Hub Transport Server Exchange Server Administration 3
C ms transport suite Exchange Server Administration 2
X Internal mail flow between two hub transport servers same domain Exchange Server Administration 10
C Transport Rule Exchange Server Administration 4
R Fax Transport Outlook 2010 (32-bit) Using Outlook 12
S Exchange 2010 - Mail Transport Exchange Server Administration 2
D Ms Exchange 2010 - Sp1 Upgrade at Prerequisites on Hub Transport Role Exchange Server Administration 8
T 451 4.4 dns query failed on exchange 2010 hub transport server Exchange Server Administration 1
L Transport Service Issues Message Queue keeps going offline slow mail delivery Exchange Server Administration 1
A Windows NLB for Exchange 2010 SP1 Hub Transport Servers Exchange Server Administration 7
D Re: Hub Transport Role Install Fail error # 2147504141 Exchange Server Administration 0
P CAS-Transport-MBX on Single Server Exchange Server Administration 2
Similar threads