Front End Design
Exchange 2013 Front End Design
Good Afternoon, My name is Don Fuller I am a Senior Technical Instructor and a Senior Design Engineer for NetCom Learning.
We begin our Exchange 2013 Front End design discussion with the basics of a DMZ design.
A Basic DMZ ● A DMZ consists of a subnet sandwiched between two
hardware firewalls
●We call this design a DMZ (
Demilitarized Zone ) and Microsoft typically refers to it as a “Secure subnet” or a “Perimeter network”.
External DNS ● The first component added to the DMZ is an
External Primary DNS server. ● This is a protected DNS server, meaning that dynamic updates are disabled. ● Records added to this DNS server are accomplished manually. The addition of host records, name records and MX records must be added manually.
External DNS and your ISP ● The External DNS Server should be replicated to
“your” ISP. The reason is to protect the records and to have record availability if the Primary External DNS Server goes down. ● The ISPs DNS server must be configured as a secondary to your External Primary.
The Edge Server Considering Microsoft’s Exchange 2013 Edge Server. Major considerations: ● The Edge server ONLY filters SMTP traffic. ● The Edge server is not Domain joined for security reasons. ● The Edge server must be synchronized with the Mailbox server. ● The synchronization must be scheduled. ● Another server or appliance is required for Active Sync, HTTPS, POP3 and IMAP4 filtering.
Alternate Solution A third party SMTP gateway such as; ● IronPort ● Barracuda
By default they filter SMTP traffic. Third party gateway’s have add‐ons that filter all Exchange client traffic. They are purchased separately and are pretty much mandatory.
Third Party Design
Data Flow ● Data Flow begins by email traffic hitting the External
DNS System ● Using the MX record, e‐mail traffic is then directed to the IronPort Server. ● The IronPort Server runs anti‐virus and anti‐spam ( Cisco Spam & Virus Blocker ) on the packets. ● “Clean” packets are then forwarded to the Exchange 2013 Client Access Server.
Notes ● If external anti‐virus/anti‐spam is used externally to
the Exchange 2013 Client Access Server, anti‐virus should not be enabled on the Client Access Server. ● On the Client Access Server, the Poison Queue must be monitored. If a poison packet is detected and captured, this indicates that the IronPort Server is not setup correctly. ● Ensure the Inbound Queue on the IronPort Server is enabled and working. It will queue inbound e‐mail if the Exchange system is down.
SMTP Gateway H.A. ● SMTP Gateway High Availability can be handled two
ways: ● MX records ● Hardware Load Balancer
● The least expensive way is always MX records. ● In either case two SMTP Gateways are required.
SMTP Gateway H.A. Diagram
Configuring MX records ● In a single site, one MX record points to SMTP 1, the
second MX points to SMTP 2. ● The “Preference” MUST BE equal. For example 10 and 10 or 20 and 20. ● The preference being equal ensures that the e‐mail system can handle large spikes in inbound email. IMPORTANT The MX record must never point to the Exchange 2013 Client Access Server!
Two site SMTP Gateway Configuration ● Site one = Both gateways have a preference of 10 ● Site two = One gateway has a preference of 20.
Note: If a higher speed failover between sites is required, a hardware load balancer must be used.
Questions?
Good Afternoon, My name is Don Fuller I am a Senior Technical Instructor and a Senior Design Engineer for NetCom Learning.
We begin our Exchange 2013 Front End design discussion with the basics of a DMZ design.
A Basic DMZ ● A DMZ consists of a subnet sandwiched between two
hardware firewalls
●We call this design a DMZ (
Demilitarized Zone ) and Microsoft typically refers to it as a “Secure subnet” or a “Perimeter network”.
External DNS ● The first component added to the DMZ is an
External Primary DNS server. ● This is a protected DNS server, meaning that dynamic updates are disabled. ● Records added to this DNS server are accomplished manually. The addition of host records, name records and MX records must be added manually.
External DNS and your ISP ● The External DNS Server should be replicated to
“your” ISP. The reason is to protect the records and to have record availability if the Primary External DNS Server goes down. ● The ISPs DNS server must be configured as a secondary to your External Primary.
The Edge Server Considering Microsoft’s Exchange 2013 Edge Server. Major considerations: ● The Edge server ONLY filters SMTP traffic. ● The Edge server is not Domain joined for security reasons. ● The Edge server must be synchronized with the Mailbox server. ● The synchronization must be scheduled. ● Another server or appliance is required for Active Sync, HTTPS, POP3 and IMAP4 filtering.
Alternate Solution A third party SMTP gateway such as; ● IronPort ● Barracuda
By default they filter SMTP traffic. Third party gateway’s have add‐ons that filter all Exchange client traffic. They are purchased separately and are pretty much mandatory.
Third Party Design
Data Flow ● Data Flow begins by email traffic hitting the External
DNS System ● Using the MX record, e‐mail traffic is then directed to the IronPort Server. ● The IronPort Server runs anti‐virus and anti‐spam ( Cisco Spam & Virus Blocker ) on the packets. ● “Clean” packets are then forwarded to the Exchange 2013 Client Access Server.
Notes ● If external anti‐virus/anti‐spam is used externally to
the Exchange 2013 Client Access Server, anti‐virus should not be enabled on the Client Access Server. ● On the Client Access Server, the Poison Queue must be monitored. If a poison packet is detected and captured, this indicates that the IronPort Server is not setup correctly. ● Ensure the Inbound Queue on the IronPort Server is enabled and working. It will queue inbound e‐mail if the Exchange system is down.
SMTP Gateway H.A. ● SMTP Gateway High Availability can be handled two
ways: ● MX records ● Hardware Load Balancer
● The least expensive way is always MX records. ● In either case two SMTP Gateways are required.
SMTP Gateway H.A. Diagram
Configuring MX records ● In a single site, one MX record points to SMTP 1, the
second MX points to SMTP 2. ● The “Preference” MUST BE equal. For example 10 and 10 or 20 and 20. ● The preference being equal ensures that the e‐mail system can handle large spikes in inbound email. IMPORTANT The MX record must never point to the Exchange 2013 Client Access Server!
Two site SMTP Gateway Configuration ● Site one = Both gateways have a preference of 10 ● Site two = One gateway has a preference of 20.
Note: If a higher speed failover between sites is required, a hardware load balancer must be used.
Questions?
