Edge Transport 3rd party mail filter before Exchange 2010

Not open for further replies.


MODEL: I want to have Edge 2010 running in DMZ behind a TMG server (no TMG for Exchange) - presumably mail will flow inbound port 25 to external NIC --> TMG allows to Edge --> Edge Sends to Internal network where 3rd pary filter is running --> 3rd party filter then passes to Exch Hub Transport (after passing rules).
Will Edge Sync still work? Does the Edge Subscription Mean anything now? Will Edge Transport still be able to send to internal network?

In other words - what happens when something else is inbetween Edge Transport grabbing port 25 mail and then relaying to Exch 2010



Sembee [MVP]

What is the point in having Edge? If you are using a third party product to filter email then why not have email delivered straight to that. It then passes it to the internal Hub transport. Edge is designed to do the filtering for you, meaning that you don't have another product involved, or if you do it is integrated with Exchange, not running its own SMTP engine.


Simon Butler, Exchange MVP
Blog | Exchange Resources

Brian Day MCITP

There are still some things Edge can do in this kind of deployment, although I'd personally not recommend it. You could put a 3rd party filtering application on the hub transport if you wanted a non-MS application somewhere in the SMTP pipeline.

1. If filtering is enabled, reduce the load hitting the 3rd party device.

2. User consolidated block/allow lists (Although the 3rd party device could mess up the allowed mail)

3. Edge-only Transport Rules

4. Shared namespace routing

5. Address re-writes (as long as Hub sends out through it)

6. Immediate filtering out of bad recipients

Microsoft Premier Field Engineer, Exchange
MCSA 2000/2003, CCNA
MCITP: Enterprise Messaging Administrator 2010
Former Microsoft MVP, Exchange Server
My posts are provided "AS IS" with no guarantees, no warranties, and they confer no rights.


To start - we already had a filtering solution in place, licensed etc etc. But the 3rd party filtering solution is great for outing mail as well, before it even leave the organizaiton, I can also control who is permitted to relay off the server internally, and we use this greatly for many kinds of notifications and alerts. Custom rules are also built to digest the contect of mail - for example search a database of customer identification information - before the mail is even allowed to leave, strip attachments and so forth. I am sure that Edge also allows me to some of these things, but the idea is that edge is out in a DMZ which means mail woudl have had to leave the organization before finding out.

Edge also affords me a smarter host in the DMZ for my filtering agent use true source IP address lists and other tools to block/kill - my goal was to go from a dumb virtual SMTP box in a DMZ to a smart host that could also handle re-queing properly and NDR reports better for compliance.

In my model - the HUB listens only to the 3rd party engine for SMTP and sends to the same engine, from there the 3rd party software woudl send to Edge.

But as you mentioned, I wanted to leverage Edge to kill more mail at the perimiter, then the second layer of filtering would protect both the incoming mail, but also outgoing. (Items 1 and 6 above)

Bottom line is that Edge will still work to send to the SMTP listener - what woudl I have to expect in this model.

And could you explain a couple of the other options you mention above. (2, 3, 4, 5)



Sembee [MVP]

As far as I am aware, Edge will want to deliver straight to Exchange, not to another product that is listening for SMTP traffic.

If your third party product isn't Exchange integrated (which it isn't if it has its own SMTP engine) then why don't you put that in the DMZ? If it is running its own SMTP engine, then do the internal Exchanges deliver to it via some kind of smart host? If so, then it has left your Exchange org, so there is no reason not to put it in the smart host.
I am really struggling to see why you are even considering Edge in this scenario, other than you have an investment in another product, which doesn't do everything that you need, but don't want to write it off.
Any decent antispam application should be able to do recipient validation using LDAP, if it cannot then I wouldn't even consider it. Recipient Validation can knock out over 70% of spam email in some cases.

The other functionality of Edge, I can do without, or achieve with third party tools for a lot less than an additional Exchange licence. Consolidated safe senders from the Outlook clients is the only thing I can't, and that isn't something I will miss too much.


Simon Butler, Exchange MVP
Blog | Exchange Resources


Hi smurfman,
Sembee gave some good suggestion, I totally agree with him.
If you want to deploy the thirdparty product, I would plan it as below:
inboundemail -> the third party product -> edge server -> hub server
That means the third party product act as a smtp filter gateway.
Not open for further replies.
Similar threads
Thread starter Title Forum Replies Date
M Looking for options and best practices for an Edge Server (Exchange or not) Exchange Server Administration 0
J Edge + TMG 2010 No email inbound/outbound and cannot telnet to port 25 on TMG Exchange Server Administration 0
J CPA cuts off left edge of printed Calendar. Ex. January the J is cut off. Calendar Printing Assistant 11
A Exchange 2010 SP1 Edge Server ( Content Filtering ) Exchange Server Administration 0
S Configure Exchange Edge 2010 on TMG in DMZ Exchange Server Administration 1
M join internet domain without edge server to the internal DC domain Exchange Server Administration 4
G Ex2010: Edge Sync / SynStatus Inconclusive? Exchange Server Administration 7
S Exchange 2003 coexistence with Exchange 2010 (Edge, OWA, Certificate, DNS considerations) Exchange Server Administration 3
S Edge 2010 and Forefront 2010 in DMZ Exchange Server Administration 12
S Edge 2010 and TMG on the same box Exchange Server Administration 1
S how to print all emails sent and received via edge in 2010 Exchange Server Administration 13
J Transport Rule to detect Keyword question.. Exchange Server Administration 2
S Send email via SMTP - use transport rules to add to senders inbox (then rule to move to sent items Exchange Server Administration 1
Brian Murphy Exchange Online Everything a Transport Rule should do and cannot Exchange Server Administration 1
P Transport Agent or Rules/Connectors Exchange Server Administration 1
L Transport rule - append disclaimer Exchange Server Administration 1
G set exch 2010 server as the default hub transport Exchange Server Administration 6
S Hub transport ex2007 - monitoring inbound Exchange Server Administration 2
D How to manage and configure antispam updates for Hub Transport antispam filter agents at "filesystem Exchange Server Administration 1
P Exchange transport overheads Exchange Server Administration 4
R Fax Transport Outlook 2010 (32-bit) Using Outlook 12
S Database is mandatory on UserMailbox error during install of Hub Transport Exchange Server Administration 19
S Dynamic Signatures? ( Hub Transport Rule? ) Exchange Server Administration 16
M 3rd Party Certificate now Security Alert Exchange Server Administration 2
L Online 3rd party backup of Office 365 cloud New Slipstick.com Articles 5
L 3rd party tools to recover deleted Office 365 contacts etc Using Outlook 7
Commodore Access to contacts, calendar, tasks... from 3rd party applications Using Outlook 2
G Adding 3rd-Party Add-In to Home Ribbon in Outlook 2010 Using Outlook 1
G 3rd email account shows 15 emails but nothing there? Using Outlook 2
L Setting up recurring meeting for every thursday except 3rd thursday Using Outlook 3
O Integration with 3rd-party controls Outlook VBA and Custom Forms 2

Similar threads