Firewalls inside Exchange 2010 organisation
Can someone please confirm Microsoft's stance on non-windows firewalls inbetween internal exchange servers? I know putting CAS in a DMZ is not supported, but where I am now, we have two internal firewalls at each end of the MPLS network which will separate
the CAS, HT and MBX servers at each site (three of each role at each site). DAGs do not traverse this link.
It seems to me that this is not ideal, but what is the official line? I can't find anything on it.
August 17th, 2011 9:17pm
Hi Kev,
I am not sure why would do it (three of each role at each site)
Check these articles and let us know if it helps:
What is the name of third party firewall you are using?Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog:
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2011 1:30am
Please understand the followings:
Installation of a Client Access server in a perimeter network is not supported. The Client Access server must be a member of an Active
Directory directory service domain, and the Client Access server machine account must be a member of the Exchange Servers Active Directory security group. This security group has read and write access to all Exchange servers within your organization. Communications
between the Client Access server and the Mailbox servers within the organization occurs over RPC. It is because of these requirements that installing a Client Access server in a perimeter network is not supported.
So if you do want to deploy CAS in DMZ, then that would be beyond our support boundary.
Thanks for your understanding.
August 19th, 2011 3:44am
Hi Xiu
I know about CAS in DMZ, and that's not the problem here. What I am faced with is two network teams who do not allow each other access to their portion of the network. This has resulted in firewall devices (CISCO) at each end of the MPLS.
We are now putting in a glodal Ex2010 org with CAS, HT and MBX server at each site. Basically, the servers at each site are separated by two firewalls even though the MPLS is basically an internal network.
The reason we have several roles at each site is to serve each set of users, they are geographically separated, North America and Australia.
I would personally like to see the firewalls removed. My question is really, is this scenario supported? Can we have an Exchange org that has firewalls didiving the org in to two?
Not recommended, but supported. To quote a Microsoft Support Engineer:
"Placing firewalls that restrict traffic between Exchange servers is not supported. You need to ensure that traffic is unrestricted between the servers in order to be supported"
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2011 7:55am
Hi Xiu
I know about CAS in DMZ, and that's not the problem here. What I am faced with is two network teams who do not allow each other access to their portion of the network. This has resulted in firewall devices (CISCO) at each end of the MPLS.
We are now putting in a glodal Ex2010 org with CAS, HT and MBX server at each site. Basically, the servers at each site are separated by two firewalls even though the MPLS is basically an internal network.
The reason we have several roles at each site is to serve each set of users, they are geographically separated, North America and Australia.
I would personally like to see the firewalls removed. My question is really, is this scenario supported? Can we have an Exchange org that has firewalls didiving the org in to two?
August 22nd, 2011 7:09pm
Then we need to ensure that Exchange Server can communicate with each other, related port should be open. Also we need to have GC/DC in each site. Please have a look at tha article below:
Exchange Network Port Reference
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2011 10:49pm