Configuring firewalls and name resolution for Edge Transport servers
Posted by Bharat Suneja at 9:07 AM
If you're planning to deploy the Edge Transport server role in a perimeter network (aka "DMZ"), here are the ports you'll need to open:
Inbound:
From external network (internet) to Edge server: SMTP - tcp port 25
From Edge server to Hub Transport servers on internal network: SMTP - tcp port 25
Outbound:
From Edge to external network/internet: SMTP
From Hub servers to Edge: SMTP, LDAP for EdgeSync (tcp 50389), Secure LDAP for EdgeSync (tcp 50636).
Additionally, it's a good idea to open RDP (tcp port 3389) from your internal network to the Edge so it can be managed without KVM/console access.
The ports used for EdgeSync - 50389 and 50636 - can be configured using the ConfigureAdam.ps1 script:
1. since the Edge server is not a member of the AD Domain, it may not have the primary DNS suffix populated by default. Make sure you configure the appropriate DNS suffix on the Edge Transport server - this is done from System Properties | Computer Name tab | Change | More | Primary DNS suffix of this computer. Important: You cannot change the primary DNS suffix of the Edge server after you install the Edge Transport server role.
2. the Edge server should be able to resolve fqdns of Hub Transport servers. This can be done by either using static entries in the HOSTS file on the Edge, or allowing the Edge server to use an internal DNS server. (This would require allowing DNS traffic from Edge servers to internal DNS servers). Alternatively, you could create a DNS zone in the perimeter network that the Edge server can access, and populate it with A records of the Hub Transport servers.
3. the Hub Transport servers should be able to resolve fqdns of the Edge Transport servers. This can be accomplished by adding A records for Edge servers in your internal DNS zone.
Inbound:
From external network (internet) to Edge server: SMTP - tcp port 25
From Edge server to Hub Transport servers on internal network: SMTP - tcp port 25
Outbound:
From Edge to external network/internet: SMTP
From Hub servers to Edge: SMTP, LDAP for EdgeSync (tcp 50389), Secure LDAP for EdgeSync (tcp 50636).
Additionally, it's a good idea to open RDP (tcp port 3389) from your internal network to the Edge so it can be managed without KVM/console access.
The ports used for EdgeSync - 50389 and 50636 - can be configured using the ConfigureAdam.ps1 script:
ConfigureAdam.ps1 -ldapport:5000 -sslport:5001
DNS/Name Resolution:1. since the Edge server is not a member of the AD Domain, it may not have the primary DNS suffix populated by default. Make sure you configure the appropriate DNS suffix on the Edge Transport server - this is done from System Properties | Computer Name tab | Change | More | Primary DNS suffix of this computer. Important: You cannot change the primary DNS suffix of the Edge server after you install the Edge Transport server role.
2. the Edge server should be able to resolve fqdns of Hub Transport servers. This can be done by either using static entries in the HOSTS file on the Edge, or allowing the Edge server to use an internal DNS server. (This would require allowing DNS traffic from Edge servers to internal DNS servers). Alternatively, you could create a DNS zone in the perimeter network that the Edge server can access, and populate it with A records of the Hub Transport servers.
3. the Hub Transport servers should be able to resolve fqdns of the Edge Transport servers. This can be accomplished by adding A records for Edge servers in your internal DNS zone.
Labels: Exchange Server 2007, Security, SMTP
1 Comments:
Thanks for this info and your posts on Exchange Server 2007 in general. Very useful!
Geert (http://blog.baeke.info)
Post a Comment
Links to this post:
Create a Link
<< Home