Video Screencast Help

Integration Symantec Messaging Gateway with Exchange 2010

Created: 07 Mar 2014 • Updated: 13 Mar 2014 | 10 comments
Erick_'s picture
This issue has been solved. See solution.


I have an architecture  with Microsoft exchange 2010 with Edge Role, Hub role, CAS and DAG mailbox Server role.

what is the best architecture for the integration of SMG with this Exchange 2010 architecture ?


Operating Systems:

Comments 10 CommentsJump to latest comment

SMLatCST's picture

Typically, the SMG would be the first (and possibly only) point of contact with the outside world as far as mail goes:

This means inbound mail should hit the SMG first, which then scans and filters mail before handing it to the edge transport server, and outbound mail should be routed from the Edge Transport server out through the SMG.

Further details on SMG best practices can also be found in the below article:

Erick_'s picture


if the Edge Server already contains filtering rules, How can We deal with that according to Symantec Messaging Gateway.

Is the fact that Symantec Messaging Gateway is the first point of contact of the outside can make the integration easy ?


SMLatCST's picture

The SMG itself has quite a few content filtering options:

It's up to you where you'd prefer to do that kind of filtering.

Typically, it makes sense to perform the SPAM filtering first so that there's less mail getting through to (and therefore less load being placed on) the Exchange servers.

Assuming the filtering rules are for legitimate email, then they should get past the SMG to be processed as normal by your current Exchange ruleset.

Erick_'s picture


I am obliged to use Mail security for Exchange to enforce the mail security architecture?

Many thanks

SMLatCST's picture

I'm unclear what you mean here.  It's entirely up to you what and how you want to use the mail security products.

However, it is only Mail Security for Exchange (SMSMSE) that is capable of performing scans of the information store itself, while the SMG can only scan mail in transit.

I've personally always positioned the SMG for protection against external email threats, while using SMSMSE to protect against propagation of threats via internal mail (and historical threats in the information/mail store).

Erick_'s picture


So I understand that I have to use SMG to secure mail in transit and SMSMSE for mail at rest.

So another about the SMG, what Exchange 2010 connectors  between Edge ---) SMG to handle traffic In and Out must I configure.


SMLatCST's picture

That's just a setting in the SMTP Send Connector called "Route mail through the following smart hosts" to tell Exchange where to route the mail (in this case to the SMG which will then send to mail onwards).

Inbound is described an greater detail in the link I provided earlier regarding the SMG Best Practices.

Erick_'s picture

Hi the former architecture there was two DMZ

Each DMZ was protected by edge server.

With SMG, I'm obliged to follow the former architecture. Or

is it possible to have one SMG to protect the two DMZ

is it possible to have one Control Center for Differents Scanner in these DMZ.

Many Thanks

SMLatCST's picture

It's perfectly possible to install a SMG in each DMZ, and to have each of them setup as an all-in-one installation (so that it's got the scanner and Control centre bits together).

Another option is to place SMG scanners in both DMZs and manage them both from a single Control centre.

There are a number of options available to you, it's up to you to appropriately design for your environment however.  Symantec documentation should help in that repect, just search for Best Practices in the SMG knowledge base below: