Hi Can someone please confirm Microsoft's stance on non-windows firewalls inbetween internal exchange servers? I know putting CAS in a DMZ is not supported, but where I am now, we have two internal firewalls at each end of the MPLS network which will separate the CAS, HT and MBX servers at each site (three of each role at each site). DAGs do not traverse this link. It seems to me that this is not ideal, but what is the official line? I can't find anything on it. Thanks Kev

Hi Kev, I am not sure why would do it (three of each role at each site) Check these articles and let us know if it helps: http://support.microsoft.com/kb/270836 http://technet.microsoft.com/en-us/library/bb331973.aspx What is the name of third party firewall you are using?Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com

Hi, Please understand the followings: Installation of a Client Access server in a perimeter network is not supported. The Client Access server must be a member of an Active Directory directory service domain, and the Client Access server machine account must be a member of the Exchange Servers Active Directory security group. This security group has read and write access to all Exchange servers within your organization. Communications between the Client Access server and the Mailbox servers within the organization occurs over RPC. It is because of these requirements that installing a Client Access server in a perimeter network is not supported. So if you do want to deploy CAS in DMZ, then that would be beyond our support boundary. Thanks for your understanding. Xiu

Hi Xiu I know about CAS in DMZ, and that's not the problem here. What I am faced with is two network teams who do not allow each other access to their portion of the network. This has resulted in firewall devices (CISCO) at each end of the MPLS. We are now putting in a glodal Ex2010 org with CAS, HT and MBX server at each site. Basically, the servers at each site are separated by two firewalls even though the MPLS is basically an internal network. The reason we have several roles at each site is to serve each set of users, they are geographically separated, North America and Australia. I would personally like to see the firewalls removed. My question is really, is this scenario supported? Can we have an Exchange org that has firewalls didiving the org in to two? Cheers Kevin Not recommended, but supported. To quote a Microsoft Support Engineer: "Placing firewalls that restrict traffic between Exchange servers is not supported. You need to ensure that traffic is unrestricted between the servers in order to be supported"

Hi Xiu I know about CAS in DMZ, and that's not the problem here. What I am faced with is two network teams who do not allow each other access to their portion of the network. This has resulted in firewall devices (CISCO) at each end of the MPLS. We are now putting in a glodal Ex2010 org with CAS, HT and MBX server at each site. Basically, the servers at each site are separated by two firewalls even though the MPLS is basically an internal network. The reason we have several roles at each site is to serve each set of users, they are geographically separated, North America and Australia. I would personally like to see the firewalls removed. My question is really, is this scenario supported? Can we have an Exchange org that has firewalls didiving the org in to two? Cheers Kevin

Oh... Then we need to ensure that Exchange Server can communicate with each other, related port should be open. Also we need to have GC/DC in each site. Please have a look at tha article below: Exchange Network Port Reference http://technet.microsoft.com/en-us/library/bb331973.aspx Xiu