Troy Tate 0 pts. | Sep 14 2009 3:48PM GMT
Can you provide more details about your environment (e.g. banking, finance, defense contractor, etc.)? This might give us more insight into what concerns you might have. There is a lot of different traffic that has to go to/from domain controllers. Are the DC’s currently on a separate firewalled subnet?
Thomas1991 25 pts. | Sep 14 2009 4:19PM GMT
At this time we have DCs in own zone. Member servers (another zone) of that DC will consist only of hub, cas, and mbx. The major concern is that due to Exchange high dependence on AD it will create additional load on firewalls, increase management and complexity. Also several ports require to be open between the two zones.
From the simplicity point of view one zone makes sense. However form the security point of view, layered approach (two zones) should be applied.
Mrdenny 44825 pts. | Sep 14 2009 4:31PM GMT
Typically people will install Exchange within the firewall, and only put the Edge Transport servers in the DMZ.
Thomas1991 25 pts. | Sep 14 2009 4:45PM GMT
Mrdenny I understand. In our case we will not deploy Edge Transport servers.
mrdenny 44825 pts. | Sep 16 2009 2:54AM GMT
Then you’ll need a lot of ports open between the Exchange server and the domain controllers in order to allow Exchange to authenticate.