Sembee Blog of Exchange MVP Simon Butler

Exchange 2007 Edge - What is the Point?

Having now completed a few Exchange 2007 deployments, upgrades and consulted on a few more, not one of them has featured an Edge server.

Which made me think, what is the point of Edge services for most users?

To use Edge you need to purchase another Exchange 2007 license which isn't cheap. What do you get for your money? Simply the ability to put a machine in a DMZ or similar network.
The edge server is just for SMTP traffic, but the most common concern I hear is for people worried about web traffic and therefore they want to put OWA in the DMZ. With Exchange 2003 this would have been a frontend server, although it is a bad idea to try and put an Exchange 2003 frontend server in to a DMZ.

The anti-spam agents that are installed on Edge can be installed on to another server by simply running a Powershell script, therefore the need for the Edge becomes less. All that it does is move where the spam filtering takes place - and if your main Exchange 2007 server is exposed to the internet then you haven't really lost anything, other than the warm fuzzy feeling that your Exchange server is not directly exposed to the internet.

If Edge was more like ISA, but for Exchange exclusively, so allowing you to have OWA in the DMZ with the small number of ports open similar to what Edge currently requires for SMTP traffic, then it would become something worth considering.

At the moment, if you want to protect SMTP traffic then you have more options if you do NOT use an Edge server. Instead install a standard Windows 2003 Server with IIS. That gives you options to use most third party products that offer a gateway facility.

I have built a few using a third party tool on top of IIS called Vamsoft ORF. This provides the basic option of recipient filtering via an LDAP lookup and can also do greylisting. There is an article on my other site that discusses building this type of server: http://www.amset.info/exchange/gateway.asp
With that product you can even integrate Antivirus software as an agent. Pick up a single copy of a server product different to what you are using internally and you have the multi layer protection that you should be aiming for.

Even after the purchase of Vamsoft ORF and another AV product, you are still easily within the cost of another Exchange 2007 license.

Furthermore by using Windows 2003 standard - i.e. 32 bit software - you could use an old server that you are removing from another role without having to purchase something new. It is a basic configuration, so if the server fails easily replacing it would be simple. You could even put the gateway functionality in to a virtual machine and keep a copy of it. If the physical hardware fails then simply copy the virtual machine on to the replacement hardware.

Comments are closed