Edge Server: to ISA or not to ISA
From Edge Transport Server Role - Overview:
"In Exchange 2007, the Edge Transport server role is deployed in your organization's perimeter network as a stand-alone server. Designed to minimize the attack surface, the Edge Transport server handles all Internet-facing mail flow, which provides Simple Mail Transfer Protocol (SMTP) relay and smart host services for the Exchange organization."
One of the many questions I get asked is wether we should use ISA Server to publish an Exchange 2007 Edge Server. There's not much prescriptive guidance from Microsoft about this subject, they just say to put Edge Server on the DMZ.
Well, the answer is: Yes and No!
Let's use the following picture to help with the answer:
- YES - If you use ISA Server as your perimeter firewall (FW1), then just open port 25 (SMTP), so that mail can flow from/to the Internet.
- NO - If you already have your perimeter network in place with 3rd party firewalls, just drop the Edge Server on the DMZ, there's no need to provide that "extra protection", placing it behind an ISA Server.
The picture depicts an ISA Server on the Perimeter Network. This server is used for publishing other Exchange Services, such as OWA, Outlook Anywhere and ActiveSync.
If the Perimeter Firewall (FW1) is Microsoft ISA Server, then you should not use any application filtering when publishing Edge Server. ISA Server 2006 discontinued SMTP Message Screener, but there's still SMTP Filter. You can check this on the properties of the SMTP Server protocol, as seen on the following picture:
What you can (and should) do is to define a new SMTP Server custom protocol and not use any application filter, if you ever need to place an Edge Server behind an ISA Server.
