Microsoft Exchange 2010 is the latest release of Microsoft messaging technology family. Microsoft Exchange Server 2010 brings a new and improved technologies, features, and services to the messaging technology product line. Exchange 2010 is role based deployment as Exchange Hub Transport, Exchange Client Access Server, Exchange Unified Messaging, Exchange Edge Transport and Exchange Mailbox. Each of these roles are significant when you planning to upgrade or new deployment. Careful selection and placement of servers in different part of corporate infrastructure is highly crucial. You have plan ahead to deploy exchange farms. Exchange 2010 brings HA, new transport and routing, Exchange Anywhere, protection and greater compliance with corporate networks. Exchange can be deployed under so many firewall and security topology. It is highly important that you consider great deal of time to design and deploy firewall and security for Exchange. In this article, I am going to describe several firewall scenario of exchange deployment. I reckon, you might be bombarded with spam without this a wonder device i.e. Cisco IronPort. So I put greater emphasis on Cisco IronPort C series and M series firewall and Anti-spam devices on each of my diagram. Cisco IronPort is a proven technology to manage and counter act against Anti-spam, content filter and Antivirus.
Edge Firewall: This scenario allows users to access OWA from extranet to intranet. However, OWA is placed in internet network. The communication from the extranet is encrypted and the communication in the intranet is not encrypted. The firewall technology used is based on Microsoft ISA Server 2006 or Forefront TMG 2010 and the Microsoft Exchange OWA, Anywhere are published to the extranet by using the web site publishing feature of Microsoft ISA Server 2006 or TMG. The authentication of the extranet users used is Windows Authentication. This type of deployment uses two NICs of TMG server. One designated to external and another one designated for internal. A small business can deploy this type of firewall for exchange. This is not a recommended deployment big organisation.
Back to Back Firewall: This configuration requires two ISA Server 2006 or Forefront TMG 2010 installations on two separate servers with two distinct network adapters each that are configured to communicate with the Internet, the Perimeter network and the Internal network. When configuring ISA Server 2006 or TMG , the range of IP addresses used by the Internet, perimeter and internal networks have to be specified as well as the Firewall Policy rules that govern the communication rules between each network. This is done in two steps that target the front firewall and then the back firewall.
Important! A front-end server is a specially configured server running either Exchange Server2003 or Exchange 2000 Server software. A back-end server is a server with a standard configuration. There is no configuration option to designate a server as a back-end server. The term "back-end server" refers to all servers in an organization that are not front-end servers after a front-end server is introduced into the organization.
3-Leg Perimeter or DMZ firewall: This configuration requires ISA Server 2006 or Forefront TMG 2010 installation on a server(s) with three distinct network adapters that are configured to communicate with the Internet, the Perimeter network and the Internal network. When configuring ISA Server 2006 or TMG , the range of IP addresses used by the Internet, perimeter and internal networks have to be specified as well as the Firewall Policy rules that govern the communication rules between each network.
3-Leg Perimeter or DMZ firewall with a Domain Controller in Perimeter: This is similar scenario as mentioned above. However, a DC with GC role placed in DMZ. An external trust created between external DC and internal DC. Specific ports are open in firewall to communicate between two domains. In this deployment, internal domain(s) aren’t exposed to perimeter. Users can access OWA, ActiveSync and Outlook Anywhere from extranet securely.
Conclusion: DMZ is the recommended topology for the following reasons:
- It provides security by isolating intruders from the rest of the network.
- It provides application protocol filtering.
- It performs additional verification on requests before it proxies them to the internal network.
Further Help:
HP Sizer for Microsoft Exchange Server 2010
Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step
Exchange 2010 Deployment Assistant
Exchange 2003 – Planning Roadmap for Upgrade and Coexistence
Exchange 2007 – Planning Roadmap for Upgrade and Coexistence
How to configure a domain member in DMZ by Dr. Thomas Shinder
Deploying domain controllers in a DMZ-TechRepublic Article
How to configure Exchange 2010 Hub Transport (HT) Server
How to configure Exchange 2010 Client Access Server (CAS) Role
Step by Step Guide on Exchange Server 2010 Edge Transport Role
Understanding Disjoint Namespace Scenarios
Share 
I am currently working as a Senior Systems Engineer-Wintel in Fujitsu Australia based in Perth WA. I have been working on ICT field since 1999 specializing in Microsoft Windows Server, Microsoft Active Directory Infrastructure, Microsoft Messaging & Collaboration Technologies, Microsoft ISA, Microsoft Forefront Technologies and System Centre Configuration Manager (SCCM), Hyper-v and VMware vSphere.
[...] More elaborately, the front-end and the back-end topology is commonly seen in multi-tier applications where the user interacts with a front-end server (Example: CAS server) and that server interacts with a back-end Server (Example: HT server). In this exchange deployment scenario, users interact with a front-end CAS Web server placed in DMZ or perimeter to get Outlook Web Access for reading and sending email. That Web server must interact with the back-end mail server or HT server, but Internet users do not need to interact directly with the back-End HT server. The front-end and back-end server(s) does all these for you providing maximum security. visit Exchange 2010 deployment in different firewall scenario [...]
Thank you very much for such an informative article. In your very first scenario why have you placed the physical firewall after TMG? Will this not slow the communication?
That is a Cisco IronPort Anti-Spam device. It will not act as a firewall. IronPort does not slow down any network.
In 3-Leg Perimeter or DMZ firewall scenario, does CAS Server need to be a domain member ?
Thank you
as a best practice CAS should be in internal network and a domain member. but if you have a secure dmz then you can put CAS in DMZ but not recommended