Hello, I use Vamsoft ORF spam filtering software for every version of Exchange up to 2013. Now I have deployed an Exchange 2013 fore one of my customers I have found that the server roles have been reduced. I have 3 options due to cost, setup the spam and antimalware filter provided Exchange 2013 or the 2 options I will list below. I have a singe Exchange server connected to the domain which is configured with both roles (CAS & Mailbox). I would like to know what direction I should go in, method 2 is what I like to do but I am unsure what it means by CAS being exposed to the internet. I have a firewall that directs all of the Exchange ports to the internal IP???? Here are the other 2 methods, let me know your thoughts. Thanks Ryan.
Scenario #1: Exchange 2010 SP3 Edge Transport + Exchange 2013
Exchange 2010 SP3 Edge Transport in the DMZ + ORF => your Exchange 2013 Mailbox Server.
This a great setup for both Exchange and ORF, with a few minor trade-offs. If your existing Exchange 2010 setup features Edge Transport, this is the way to go.
- Pros: ORF performs best and requires the least maintenance when deployed on the network perimeter (that is, on Edge Transport).
- Pros: All previous functionality of ORF is available.
- Pros: You do not even need ORF 5.1 for this – ORF 5.0 and even 4.4 will install and work fine.
- Pros: Exchange 2010 Edge Transport is designed for DMZ use and a compromised Edge Transport server does not automatically allow an attacker access to your company network. Without Edge Transport, you would have to expose your Exchange 2013 Client Access Server (CAS) to the internet. CAS must be part of your network, so just by having Edge Transport you mitigated a security risk.
- Cons: 2010 Edge Transport must be linked with your 2013 Mailbox Server, which bypasses your Client Access Server.
- Cons: The Recipient Validation feature of ORF is not available under Edge Transport. This affects the DHA Protection feature as well, because it cannot receive data from the Recipient Validation feature.
Scenario #2: Exchange 2013 CAS + Mailbox Server (mixed)
Both roles of Exchange 2013 installed on the same server + ORF.
- Pros: No additional maintenance and configuration (if CAS is exposed directly to the Internet — otherwise, you should set up and maintain the Intermediate Host List).
- Pros: All previous functionality of ORF is available.
- Cons: Exchange 2013 CAS (a domain member server) must be exposed to the Internet, which may be a security concern ranging from “Oh, it’s OK” to “No. No. Over my dead body. No.”, depending on which school of IT security you subscribe to.