That's not really enough information to make a good suggestion.

Best practice?  Who's?  What're the business drivers?  Why?

Everybody does this differently but the thinking is generally to have AV
protection on the edge (SMTP GATEWAY or in this case the FE server) as well
as mail-server-type-aware AV on the mailstore server.  In this case, on the
BE server you would additionally install Exchange-aware software that uses
the AVAPI.

But if you don't have business drivers or a strategy in place, it's hard to
say if this makes sense for you or meets your goals overall.

Al

Tim,

It is best practice to use multiple tiers of antivirus software in your
defense strategy.

Typically I recommend AV products be installed at the SMTP Gateways, Mailbox
Servers, and a Client Side AV product with MAPI client scanner.

Additionally it is also a good idea to configure the Outlook Security Patch.
More information on this can be found in the office resource kit. If you are
using Exchange 2003 for OWA clients, there is a corresponding registry hack
available that performs the same function.

The best suggestion .. is

Gateway Server have SMTP virus software like  Trend Micro IMSS-->  --> Back
End Server (virus scanner for mailbox , File Scanner)

                                      So all the incoming  mails hit to the
gateway server, Anti virus SMTP software will scan all the mails and forward
to the back end server that is having virus scanner for mailboxes.so totally
three level virus protection

1. File Scanner --> protect Operation System
2.  SMTP Gateway server --> it will scan all the incoming / outgoing mails
and  protect the LAN from virus attack from external network
3  virus scanner for mailbox --> additional level anti-virus protection

Cheers
Semmal