OWA in Exchange 2007 - is this secure enough?

I have been researching the best/cost effective/secure way to implement OWA and have come to the conclusion that installing Exchange 2007 and using a secure frontend (Edge transport) server will be my best option.

Will this method be secure enough and why?
Where should the frontend server sit eg internal network or DMZ? (why?)
gpersandAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Spot_The_CatCommented:
It should sit in the DMZ or perimeter network.

Best to switch off http and just use https as all traffice will be encryted - should stop man in the middle attacks. If you're particularly worried about security you could implement third party authentication like RSA tokens. You can also go further but the more you tie down the security the less functional it becomes.

Hope that helps.
0
LeeDerbyshireCommented:
The Edge Transport server isn't the same as the older E2003 FE server.  You can't use it to access OWA - it is an SMTP transport only.  You would need to install a CAS server in your DMZ, but that isn't officially supported.
0
gpersandAuthor Commented:
Im confused now. How many servers do I need?
What is a CAS server?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

LeeDerbyshireCommented:
You can have everything (i.e. all roles) on one server, if that is sufficient for your requirements.  The CAS role is the Client Access Server role.  An Edge server is optional, and requires its own server.
0
gpersandAuthor Commented:
Is it secure to have the F-end server in the DMZ and the CAS on the B-end exchange server ?
0
Redwulf__53Commented:
There is no F-end server for ex2007 (as LeeDerbyshire already mentioned) only the Edge Transport. MS recommends placing this in a DMZ. It only takes care of SMTP: (optional) antivirus and anti-spam. You will need to publish port 443 from the internet to a CAS server on the LAN... the most secure way to do this at the moment is through an Microsoft ISA server as this firewall product does the most thorough checking of the traffic: the user Logon takes place in the ISA server, so only HTTP(s) traffic of already authenticated users is allowed to be forwarded to the LAN.
 
0
gpersandAuthor Commented:
I thought that using a HTTPS Edge Transport server was secure and NO ISA server would be needed?
0
LeeDerbyshireCommented:
Note that the Edge Tranport server has nothing to do with OWA (I think that this is what you were originally asking about).  Some people put a CAS server in a DMZ, in an equivalent role to the old FE server.  This means that lots of ports then need to be opened up at the firewall.  This, plus the fact that it's unsupported, would be enough to dissuade me from doing it.  Your cheapest option is to pass port 443 (for SSL) into your existing server.  I would suggest that this is adequate for most small companies, since I don't believe there are any current IIS/SSL exploits out there.  Your most secure option (but obviously more expensive) is to add the aforementioned ISA server.
0
gpersandAuthor Commented:
Sorry for being dumb but I have a few more questions to clarify the information above.

What do I need to make this work securely (how many servers?
I know I will need 1 exchange 2007 server. Is this the CAS as well?
What is the purpose of the CAS server?
As I understand I will need a Edge transport server. Where does this a sit?

Please make this simple as it is very confusing so far
eg dmz = edge transport, internal = cas, internal = exchange server  
0
LeeDerbyshireCommented:
The CAS role takes care of client access, i.e. your users will connect Outlook to it, and use it for OWA.  In previous versions, it could be taken for granted that a single Exchange server could do this, as well as managing the Information store (now part of the Mailbox role), and handle mail flow (now part of the Hub Transport role).  MS have (perhaps confusingly) made it possible to separate all these roles into different servers, although the default installation choice will still put them all on one.  The Edge Transport isn't necessary, unless you want to prevent direct SMTP connections into your LAN.  It is just used to offload the tasks of virus scanning and spam blocking onto another server.  If you do have one, it is best placed in a DMZ.

Yes, it is confusing.  But most people just go for the single server setup.
0
gpersandAuthor Commented:
Please correct me if I am wrong:
1 x edge transport in DMZ (I would like to prevent direct smtp connections direct to the lan)
1 x CAS on lan (to help offload the stress on the exchage server)
1 x exchange server on the lan
0
LeeDerbyshireCommented:
That is a certainly a possibility.  Since E2007 makes it easy to separate roles in this way, it's entirely up to you how you organize things.  When you run the E2007 setup, you just select which roles you want to install.
0
gpersandAuthor Commented:
I only have 150 users and the max connecting using OWA will be about 50.
My exchange server has 2 x 2ghz zeon quad core processors and 4gb of ram.

Will it be fine to put the CAS and the Exchange server on this spec pc?
0
LeeDerbyshireCommented:
Yes, I would say so.  Of course, it depends on many things, such as how big you are prepared to let your users' mailboxes grow over the coming years; but initially, I would say that it sounds okay.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Redwulf__53Commented:
NO it is NOT enough. We have rolled out a number of servers with 4GB, and you will notice BAD performance after a few months.
Microsoft recommendation (for JUST the mailbox role): 4GB + 50MB PER USER. So, unless you have zero users, you will always need more than 4GB. Aditionally, you need about 1 GB for the CAS role. So I now always recommend standard 8 GB for a mail server that has all roles.
0
gpersandAuthor Commented:
Our current Exchange 2003 server has 2 x 3.2ghz zeon dual core processors and 4gb of ram and works fine.
Will Exchange 2007 with the CAS be that much more stressful to the server?
Were the roll outs you did, using exchange 2007?
0
Redwulf__53Commented:
Yes. Like every new version of any Microsoft product, double the system requirements.
0
gpersandAuthor Commented:
Thanks Redwulf.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.