RE: Scan Gateway
I would advise to put your gateway on a separate box. I don't know how big your network is, but for 100 users, the gateway could be a simple PC. As for DNS, W2K/AD is all about DNS, DNS, DNS. Plan on having 2 DNS servers. For that matter, plan on having 2 DC/GC's. So make each of those a DNS server as well. -Original Message- From: Fioon [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 17, 2003 6:45 PM To: Exchange Discussions Subject: Scan Gateway We're in the exploring on the infrastructure on our Network to be ready for Win2k. There are some area which is in question marks. Email Scanning Gateway to be places on the DMZ. e.g. TrendMicro/Mailsweeper. Should it be place in different box or should it be place in the same box with the Front End Server? So far, we have been consult by 2 supplier. One said it's better to put different box, because put in one box with FE is useless. Reason is if email came into the FE, and only then the Scan Gateway scan the mail is too late. The virus already came into the FE, scan will not help. And another one supplier said it's ok to put into same box with FE. Another question is for Win2k Environment, is DNS very important? Once DNS down, and no cache available, does it mean clients cannot log on to the network? Thanks Fioon _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Scan Gateway
Our Environment only have 275users internally, and another 50users access from overseas using OWA or POP3. Do you have any reason why should the gateway to be run on separate box? Thanks -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 10:31 AM To: Exchange Discussions Subject: RE: Scan Gateway I would advise to put your gateway on a separate box. I don't know how big your network is, but for 100 users, the gateway could be a simple PC. As for DNS, W2K/AD is all about DNS, DNS, DNS. Plan on having 2 DNS servers. For that matter, plan on having 2 DC/GC's. So make each of those a DNS server as well. -Original Message- From: Fioon [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 17, 2003 6:45 PM To: Exchange Discussions Subject: Scan Gateway We're in the exploring on the infrastructure on our Network to be ready for Win2k. There are some area which is in question marks. Email Scanning Gateway to be places on the DMZ. e.g. TrendMicro/Mailsweeper. Should it be place in different box or should it be place in the same box with the Front End Server? So far, we have been consult by 2 supplier. One said it's better to put different box, because put in one box with FE is useless. Reason is if email came into the FE, and only then the Scan Gateway scan the mail is too late. The virus already came into the FE, scan will not help. And another one supplier said it's ok to put into same box with FE. Another question is for Win2k Environment, is DNS very important? Once DNS down, and no cache available, does it mean clients cannot log on to the network? Thanks Fioon _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: Scan Gateway
With an empty root, make that at least 4 DCs. Fioon, as for logging on, DNS is more about name resolution than it is about authentication. However, if your DC can't find a Global Catalog then your clients wont be able to logon to the domain. IIRC, this requirement has changed in Windows 2003. - Original Message - From: "Martin Blackstone" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Tuesday, June 17, 2003 10:30 PM Subject: RE: Scan Gateway > I would advise to put your gateway on a separate box. I don't know how big > your network is, but for 100 users, the gateway could be a simple PC. > > As for DNS, W2K/AD is all about DNS, DNS, DNS. Plan on having 2 DNS servers. > For that matter, plan on having 2 DC/GC's. So make each of those a DNS > server as well. > > -Original Message- > From: Fioon [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 17, 2003 6:45 PM > To: Exchange Discussions > Subject: Scan Gateway > > > We're in the exploring on the infrastructure on our Network to be ready for > Win2k. There are some area which is in question marks. > > Email Scanning Gateway to be places on the DMZ. e.g. TrendMicro/Mailsweeper. > Should it be place in different box or should it be place in the same box > with the Front End Server? So far, we have been consult by 2 supplier. > > One said it's better to put different box, because put in one box with FE is > useless. Reason is if email came into the FE, and only then the Scan Gateway > scan the mail is too late. The virus already came into the FE, scan will not > help. > > And another one supplier said it's ok to put into same box with FE. > > Another question is for Win2k Environment, is DNS very important? Once DNS > down, and no cache available, does it mean clients cannot log on to the > network? > > Thanks > Fioon > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: Scan Gateway
Simply because its the easiest way to manage it. If it ever crashes or requires maintenance or upgrading, it wont affect other services. - Original Message - From: "Fioon" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Tuesday, June 17, 2003 10:31 PM Subject: RE: Scan Gateway > > Our Environment only have 275users internally, and another 50users access > from overseas using OWA or POP3. Do you have any reason why should the > gateway to be run on separate box? > > Thanks > > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 18, 2003 10:31 AM > To: Exchange Discussions > Subject: RE: Scan Gateway > > > I would advise to put your gateway on a separate box. I don't know how big > your network is, but for 100 users, the gateway could be a simple PC. > > As for DNS, W2K/AD is all about DNS, DNS, DNS. Plan on having 2 DNS servers. > For that matter, plan on having 2 DC/GC's. So make each of those a DNS > server as well. > > -Original Message- > From: Fioon [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 17, 2003 6:45 PM > To: Exchange Discussions > Subject: Scan Gateway > > > We're in the exploring on the infrastructure on our Network to be ready for > Win2k. There are some area which is in question marks. > > Email Scanning Gateway to be places on the DMZ. e.g. TrendMicro/Mailsweeper. > Should it be place in different box or should it be place in the same box > with the Front End Server? So far, we have been consult by 2 supplier. > > One said it's better to put different box, because put in one box with FE is > useless. Reason is if email came into the FE, and only then the Scan Gateway > scan the mail is too late. The virus already came into the FE, scan will not > help. > > And another one supplier said it's ok to put into same box with FE. > > Another question is for Win2k Environment, is DNS very important? Once DNS > down, and no cache available, does it mean clients cannot log on to the > network? > > Thanks > Fioon > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Scan Gateway
Correct. Another nice thing about the gateway on a separate box is that it give you a place to capture and hold email if you need to bring your Exchange boxes down for anything. It sits there nice and pretty and when Exchange comes back up, the mail goes in. -Original Message- From: Andy David [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 4:48 AM To: Exchange Discussions Subject: Re: Scan Gateway Simply because its the easiest way to manage it. If it ever crashes or requires maintenance or upgrading, it wont affect other services. - Original Message - From: "Fioon" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Tuesday, June 17, 2003 10:31 PM Subject: RE: Scan Gateway > > Our Environment only have 275users internally, and another 50users access > from overseas using OWA or POP3. Do you have any reason why should the > gateway to be run on separate box? > > Thanks > > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 18, 2003 10:31 AM > To: Exchange Discussions > Subject: RE: Scan Gateway > > > I would advise to put your gateway on a separate box. I don't know how big > your network is, but for 100 users, the gateway could be a simple PC. > > As for DNS, W2K/AD is all about DNS, DNS, DNS. Plan on having 2 DNS servers. > For that matter, plan on having 2 DC/GC's. So make each of those a DNS > server as well. > > -Original Message- > From: Fioon [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 17, 2003 6:45 PM > To: Exchange Discussions > Subject: Scan Gateway > > > We're in the exploring on the infrastructure on our Network to be ready for > Win2k. There are some area which is in question marks. > > Email Scanning Gateway to be places on the DMZ. e.g. TrendMicro/Mailsweeper. > Should it be place in different box or should it be place in the same box > with the Front End Server? So far, we have been consult by 2 supplier. > > One said it's better to put different box, because put in one box with FE is > useless. Reason is if email came into the FE, and only then the Scan Gateway > scan the mail is too late. The virus already came into the FE, scan will not > help. > > And another one supplier said it's ok to put into same box with FE. > > Another question is for Win2k Environment, is DNS very important? Once DNS > down, and no cache available, does it mean clients cannot log on to the > network? > > Thanks > Fioon > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Scan Gateway
Thanks everyone. But but but.. pardon me that these point is good for IT Engineer but not to management whereby there will ask Q such as, even though in same box, it will still be able to capture and hold the email if BE is down. They never care about the problem of crashes, upgrade etc. :) so I was thinking any reason that's I never thought of and of cox it should be valid to scare management off so that they agree to have it on dedicated box... Thanks ... -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 8:59 PM To: Exchange Discussions Subject: RE: Scan Gateway Correct. Another nice thing about the gateway on a separate box is that it give you a place to capture and hold email if you need to bring your Exchange boxes down for anything. It sits there nice and pretty and when Exchange comes back up, the mail goes in. -Original Message- From: Andy David [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 4:48 AM To: Exchange Discussions Subject: Re: Scan Gateway Simply because its the easiest way to manage it. If it ever crashes or requires maintenance or upgrading, it wont affect other services. - Original Message - From: "Fioon" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Tuesday, June 17, 2003 10:31 PM Subject: RE: Scan Gateway > > Our Environment only have 275users internally, and another 50users access > from overseas using OWA or POP3. Do you have any reason why should the > gateway to be run on separate box? > > Thanks > > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 18, 2003 10:31 AM > To: Exchange Discussions > Subject: RE: Scan Gateway > > > I would advise to put your gateway on a separate box. I don't know how big > your network is, but for 100 users, the gateway could be a simple PC. > > As for DNS, W2K/AD is all about DNS, DNS, DNS. Plan on having 2 DNS servers. > For that matter, plan on having 2 DC/GC's. So make each of those a DNS > server as well. > > -Original Message- > From: Fioon [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 17, 2003 6:45 PM > To: Exchange Discussions > Subject: Scan Gateway > > > We're in the exploring on the infrastructure on our Network to be ready for > Win2k. There are some area which is in question marks. > > Email Scanning Gateway to be places on the DMZ. e.g. TrendMicro/Mailsweeper. > Should it be place in different box or should it be place in the same box > with the Front End Server? So far, we have been consult by 2 supplier. > > One said it's better to put different box, because put in one box with FE is > useless. Reason is if email came into the FE, and only then the Scan Gateway > scan the mail is too late. The virus already came into the FE, scan will not > help. > > And another one supplier said it's ok to put into same box with FE. > > Another question is for Win2k Environment, is DNS very important? Once DNS > down, and no cache available, does it mean clients cannot log on to the > network? > > Thanks > Fioon > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&
RE: Scan Gateway
At TechEd, one of the MS dudes told us that MS doesn't use AV on the mail servers at all. All email is scanned by gateway servers. Maybe he will like that. "We can be just like MS" -Original Message- From: Fioon [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 8:05 PM To: Exchange Discussions Subject: RE: Scan Gateway Thanks everyone. But but but.. pardon me that these point is good for IT Engineer but not to management whereby there will ask Q such as, even though in same box, it will still be able to capture and hold the email if BE is down. They never care about the problem of crashes, upgrade etc. :) so I was thinking any reason that's I never thought of and of cox it should be valid to scare management off so that they agree to have it on dedicated box... Thanks ... -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 8:59 PM To: Exchange Discussions Subject: RE: Scan Gateway Correct. Another nice thing about the gateway on a separate box is that it give you a place to capture and hold email if you need to bring your Exchange boxes down for anything. It sits there nice and pretty and when Exchange comes back up, the mail goes in. -Original Message- From: Andy David [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 4:48 AM To: Exchange Discussions Subject: Re: Scan Gateway Simply because its the easiest way to manage it. If it ever crashes or requires maintenance or upgrading, it wont affect other services. - Original Message - From: "Fioon" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Tuesday, June 17, 2003 10:31 PM Subject: RE: Scan Gateway > > Our Environment only have 275users internally, and another 50users > access from overseas using OWA or POP3. Do you have any reason why > should the gateway to be run on separate box? > > Thanks > > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 18, 2003 10:31 AM > To: Exchange Discussions > Subject: RE: Scan Gateway > > > I would advise to put your gateway on a separate box. I don't know how > big your network is, but for 100 users, the gateway could be a simple PC. > > As for DNS, W2K/AD is all about DNS, DNS, DNS. Plan on having 2 DNS servers. > For that matter, plan on having 2 DC/GC's. So make each of those a DNS > server as well. > > -Original Message- > From: Fioon [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 17, 2003 6:45 PM > To: Exchange Discussions > Subject: Scan Gateway > > > We're in the exploring on the infrastructure on our Network to be > ready for > Win2k. There are some area which is in question marks. > > Email Scanning Gateway to be places on the DMZ. e.g. TrendMicro/Mailsweeper. > Should it be place in different box or should it be place in the same > box with the Front End Server? So far, we have been consult by 2 supplier. > > One said it's better to put different box, because put in one box with > FE is > useless. Reason is if email came into the FE, and only then the Scan Gateway > scan the mail is too late. The virus already came into the FE, scan > will not > help. > > And another one supplier said it's ok to put into same box with FE. > > Another question is for Win2k Environment, is DNS very important? Once > DNS down, and no cache available, does it mean clients cannot log on > to the network? > > Thanks > Fioon > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/ly
RE: Scan Gateway
Currently we're the same way. There are two other advantages of having a dedicated gateway scanner. It's typical for the AV vendors to have one or two bad virus definition files a year. I've seen them totally hose up a box when they're real bad. If you have that at the gateway, your internal mail flow will still work while you repair the gateway. People may notice that they are not getting internet mail, but won't be screaming as loud as if you took their mailbox server off line. Second advantage is upgrade path. Since the gateway is a separate box and passes all mail via SMTP, you can upgrade the antivirus or the Exchange system separately from each other without impact. If you needed to install a hotfix for Exchange or the OS, you can do so without having the extra variable of the antivirus product in the mix. Costs are always a concern with the ducks, but the AV gateway doesn't need to be a huge server. We ran a dual 500mhz, 500GB RAM with two disk arrays on our inbound server and were handling around 100k messages a day on it. It rated about 5000 an hour before we upgraded to a larger server. That server may run you about 3-4k depending on your vendor but you probably wouldn't need that something even that large. -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 11:31 PM To: Exchange Discussions Subject: RE: Scan Gateway At TechEd, one of the MS dudes told us that MS doesn't use AV on the mail servers at all. All email is scanned by gateway servers. Maybe he will like that. "We can be just like MS" -Original Message- From: Fioon [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 8:05 PM To: Exchange Discussions Subject: RE: Scan Gateway Thanks everyone. But but but.. pardon me that these point is good for IT Engineer but not to management whereby there will ask Q such as, even though in same box, it will still be able to capture and hold the email if BE is down. They never care about the problem of crashes, upgrade etc. :) so I was thinking any reason that's I never thought of and of cox it should be valid to scare management off so that they agree to have it on dedicated box... Thanks ... -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 8:59 PM To: Exchange Discussions Subject: RE: Scan Gateway Correct. Another nice thing about the gateway on a separate box is that it give you a place to capture and hold email if you need to bring your Exchange boxes down for anything. It sits there nice and pretty and when Exchange comes back up, the mail goes in. -Original Message- From: Andy David [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 4:48 AM To: Exchange Discussions Subject: Re: Scan Gateway Simply because its the easiest way to manage it. If it ever crashes or requires maintenance or upgrading, it wont affect other services. - Original Message - From: "Fioon" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Tuesday, June 17, 2003 10:31 PM Subject: RE: Scan Gateway > > Our Environment only have 275users internally, and another 50users > access from overseas using OWA or POP3. Do you have any reason why > should the gateway to be run on separate box? > > Thanks > > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 18, 2003 10:31 AM > To: Exchange Discussions > Subject: RE: Scan Gateway > > > I would advise to put your gateway on a separate box. I don't know how > big your network is, but for 100 users, the gateway could be a simple PC. > > As for DNS, W2K/AD is all about DNS, DNS, DNS. Plan on having 2 DNS servers. > For that matter, plan on having 2 DC/GC's. So make each of those a DNS > server as well. > > -Original Message- > From: Fioon [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 17, 2003 6:45 PM > To: Exchange Discussions > Subject: Scan Gateway > > > We're in the exploring on the infrastructure on our Network to be > ready for > Win2k. There are some area which is in question marks. > > Email Scanning Gateway to be places on the DMZ. e.g. TrendMicro/Mailsweeper. > Should it be place in different box or should it be place in the same > box with the Front End Server? So far, we have been consult by 2 supplier. > > One said it's better to put different box, because put in one box with > FE is > useless. Reason is if email came into the FE, and only then the Scan Gateway > scan the mail is too late. The virus already came into the FE, scan > will not > help. > > And another one supplier said it's ok to put into same box with FE. > > Another question is for Win2k Environment, is DNS very
RE: Scan Gateway
My Environment:- The first stage of external email scan will be on the DMZ (Trend Micro Server Gateway). Email flow from Internet to Firewall and pass to Trend Server in DMZ to do the content scanning and email will be flow back to the Firewall again, and then flow into the Internal Net (Exchange Server) and go through the second AV Scan inside the Exch Server. Exchange Server itself located inside the Internal Net will have AV Exchange(Symantec) installed to be the second scanning stage or to be the internally email scan. So in this scenario, your 2 points cant be justify because I still have one AV in the Exchange that might have your 2 points problem. thanks -Original Message- From: Schwartz, Jim [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 9:10 PM To: Exchange Discussions Subject: RE: Scan Gateway Currently we're the same way. There are two other advantages of having a dedicated gateway scanner. It's typical for the AV vendors to have one or two bad virus definition files a year. I've seen them totally hose up a box when they're real bad. If you have that at the gateway, your internal mail flow will still work while you repair the gateway. People may notice that they are not getting internet mail, but won't be screaming as loud as if you took their mailbox server off line. Second advantage is upgrade path. Since the gateway is a separate box and passes all mail via SMTP, you can upgrade the antivirus or the Exchange system separately from each other without impact. If you needed to install a hotfix for Exchange or the OS, you can do so without having the extra variable of the antivirus product in the mix. Costs are always a concern with the ducks, but the AV gateway doesn't need to be a huge server. We ran a dual 500mhz, 500GB RAM with two disk arrays on our inbound server and were handling around 100k messages a day on it. It rated about 5000 an hour before we upgraded to a larger server. That server may run you about 3-4k depending on your vendor but you probably wouldn't need that something even that large. -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 11:31 PM To: Exchange Discussions Subject: RE: Scan Gateway At TechEd, one of the MS dudes told us that MS doesn't use AV on the mail servers at all. All email is scanned by gateway servers. Maybe he will like that. "We can be just like MS" -Original Message- From: Fioon [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 8:05 PM To: Exchange Discussions Subject: RE: Scan Gateway Thanks everyone. But but but.. pardon me that these point is good for IT Engineer but not to management whereby there will ask Q such as, even though in same box, it will still be able to capture and hold the email if BE is down. They never care about the problem of crashes, upgrade etc. :) so I was thinking any reason that's I never thought of and of cox it should be valid to scare management off so that they agree to have it on dedicated box... Thanks ... -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 8:59 PM To: Exchange Discussions Subject: RE: Scan Gateway Correct. Another nice thing about the gateway on a separate box is that it give you a place to capture and hold email if you need to bring your Exchange boxes down for anything. It sits there nice and pretty and when Exchange comes back up, the mail goes in. -Original Message- From: Andy David [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 4:48 AM To: Exchange Discussions Subject: Re: Scan Gateway Simply because its the easiest way to manage it. If it ever crashes or requires maintenance or upgrading, it wont affect other services. - Original Message - From: "Fioon" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Tuesday, June 17, 2003 10:31 PM Subject: RE: Scan Gateway > > Our Environment only have 275users internally, and another 50users > access from overseas using OWA or POP3. Do you have any reason why > should the gateway to be run on separate box? > > Thanks > > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 18, 2003 10:31 AM > To: Exchange Discussions > Subject: RE: Scan Gateway > > > I would advise to put your gateway on a separate box. I don't know how > big your network is, but for 100 users, the gateway could be a simple PC. > > As for DNS, W2K/AD is all about DNS, DNS, DNS. Plan on having 2 DNS servers. > For that matter, plan on having 2 DC/GC's. So make each of those a DNS > server as well. > > -Original Message- > From: Fioon [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 17, 2003 6:45 PM > To: Exchange Discussions > Subject: Scan
RE: Scan Gateway
Actually it would be. You could turn off AV scanning on your Exchange servers (for a short time) while the issue was corrected with a bad virus definition. You could also allow the mail traffic to pass directly to your Exchange servers if the gateway goes bad. Same process for a path of upgrade issue. You have it even easier as the gateway product and the Exchange AV product are from 2 vendors. One of them is bound to catch the virus even if the other fails. -Original Message- From: Fioon [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 9:56 PM To: Exchange Discussions Subject: RE: Scan Gateway My Environment:- The first stage of external email scan will be on the DMZ (Trend Micro Server Gateway). Email flow from Internet to Firewall and pass to Trend Server in DMZ to do the content scanning and email will be flow back to the Firewall again, and then flow into the Internal Net (Exchange Server) and go through the second AV Scan inside the Exch Server. Exchange Server itself located inside the Internal Net will have AV Exchange(Symantec) installed to be the second scanning stage or to be the internally email scan. So in this scenario, your 2 points cant be justify because I still have one AV in the Exchange that might have your 2 points problem. thanks -Original Message- From: Schwartz, Jim [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 9:10 PM To: Exchange Discussions Subject: RE: Scan Gateway Currently we're the same way. There are two other advantages of having a dedicated gateway scanner. It's typical for the AV vendors to have one or two bad virus definition files a year. I've seen them totally hose up a box when they're real bad. If you have that at the gateway, your internal mail flow will still work while you repair the gateway. People may notice that they are not getting internet mail, but won't be screaming as loud as if you took their mailbox server off line. Second advantage is upgrade path. Since the gateway is a separate box and passes all mail via SMTP, you can upgrade the antivirus or the Exchange system separately from each other without impact. If you needed to install a hotfix for Exchange or the OS, you can do so without having the extra variable of the antivirus product in the mix. Costs are always a concern with the ducks, but the AV gateway doesn't need to be a huge server. We ran a dual 500mhz, 500GB RAM with two disk arrays on our inbound server and were handling around 100k messages a day on it. It rated about 5000 an hour before we upgraded to a larger server. That server may run you about 3-4k depending on your vendor but you probably wouldn't need that something even that large. -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 11:31 PM To: Exchange Discussions Subject: RE: Scan Gateway At TechEd, one of the MS dudes told us that MS doesn't use AV on the mail servers at all. All email is scanned by gateway servers. Maybe he will like that. "We can be just like MS" -Original Message- From: Fioon [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 8:05 PM To: Exchange Discussions Subject: RE: Scan Gateway Thanks everyone. But but but.. pardon me that these point is good for IT Engineer but not to management whereby there will ask Q such as, even though in same box, it will still be able to capture and hold the email if BE is down. They never care about the problem of crashes, upgrade etc. :) so I was thinking any reason that's I never thought of and of cox it should be valid to scare management off so that they agree to have it on dedicated box... Thanks ... -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 8:59 PM To: Exchange Discussions Subject: RE: Scan Gateway Correct. Another nice thing about the gateway on a separate box is that it give you a place to capture and hold email if you need to bring your Exchange boxes down for anything. It sits there nice and pretty and when Exchange comes back up, the mail goes in. -Original Message- From: Andy David [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 4:48 AM To: Exchange Discussions Subject: Re: Scan Gateway Simply because its the easiest way to manage it. If it ever crashes or requires maintenance or upgrading, it wont affect other services. - Original Message - From: "Fioon" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Tuesday, June 17, 2003 10:31 PM Subject: RE: Scan Gateway > > Our Environment only have 275users internally, and another 50users > access from overseas using OWA or POP3. Do you have any reason why > should the gateway to be run on separate box? > > Thanks > > -Original Message- > From: Martin Blackstone [mailto:[EMAIL PROTECTED] > Sent: Wedn