edge transport role in exchange 2007

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

We have just done a migration to Exchange 2007 at work. Previously we had a single exchange 2003 server. We have just gone for the typical installation with hub transport, client access and mailbox roles. As I understand it the only way to get the spam handling features and the blocklist features that are available in exchange 2003, isto have a second server in front of a firwall that is not in your AD running the edge transport role.
Is this the case? For smaller organisations that cannot or do not want to use a second server this is a bit of a pain. Also I wonder how this will work when exchange 2007 is included in SBS servers.
Anyone got any views?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

That's correct, Edge Transport sits on a server that can't have any other Exchange Roles. This is because of the security necessary for Edge Transport to function as required - it can't be part of your AD infrastructure and must be completely separate. it communicates with AD by means of ADAM (Active Directory Application Module - form memory, that may be wrong!) and it has been designed from the ground up with security in mind.

M$' idea here is that you replace your anti-spam, av and malware boxes with one big M$ product (good luck selling that one!) so, theoretically, although you will spend more money kitting out an ET server you should save in the long run by removing two or three other appliances from your racks.

Gawd alone knows what will happen when SBS ships with E2K7 - i would imagine the ET role will simply not be offered, or may be reduced licensing costs involved in purchasing a second server - since it isn't inherently part of your AD topology I'd imagine the licensing model for it will be very different, maybe based on connection or mail volume or something.

 

Thats not entirely true
many of the features available in the edge transport can be run on any hub transport server
however you lose some of the security benfits of having it on a non domain, external to the perimeter system

that said it will still be more secure than your old single 2k3 server

the edge transport server is an option, and whilst its a good one its not a one size fits all one, which is exactly why exchange 2007 was sliced into roles in the first place

have a look on the technet website for info on securing your hub transport server and what features can be enabled/configured

 

Spam features CAN be enabled on a Hub Transport server, it is quite possible to have a single Exchange 2007 server with the hub, cas and mailbox roles. Although this is not best practice and certainly not recommended.

The following powershell script will enable the antispam filters on the Hub Transport role.

install-AntispamAgents.ps1

The script can be found in the Program Files\Microsoft\Exchange Server\Scripts folder.

You will need to restart the transport service aftwards.

 

Thanks for the advice guys. I might look at putting some of these roles on the hub transport server.