make sure that you install msme 7.6 with patch1. that is the latest version of groupshield.
for the installs you will want to have msme on the edge and hub servers as a minimum. msme can also be installed to the mailbox server but it isn't a must. the reason for this is that all mail has to go through the hub before going to another mailbox. if you don't install on the mailbox server you would lose being able to run on demand scans and mail wouldn't get removed from the users mailbox if it triggered a detection. however, it would still get picked up by the hub so no infected email would be able to spread.
i would suggest to look at our best practice guide for msme.
also with msme the install will detect the exchange role that is installed and install the necessary scanning components for that role.