• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 995
  • Last Modified:

Move Exchange 2007 Client Access Role to another server in DMZ


I have a windows 2003 domain with an exchange 2007 as mailserver installed.
All exchange roles are installed on the exchange 2007 server, except the edge server, the 'edge' is installed on a windows 2008 foundation server in the DMZ zone.
Now, our company policy said that the 'OWA' can 't be published through port80/443 on our firewall to the exchange server on our LAN.

If I have to follow that policy, I read about 2 options:
ISA server installation in the DMZ or moving the exchange 'CAS' role to the DMZ.

So my question is, what is the best option (are other opions), what is possible?

I prefer to move the 'CAS' role to the DMZ, an ISA-server is again an extra license...
Can I move the 'CAS' role onto the edge server? or do I have to install a second 64bit server in the DMZ?

If it's not possible to install  it on the same server/platform as the edge, can I make an virtual 'CAS' on that server?  


  • 2
  • 2
3 Solutions
First of All CAS Role and Edge Transport Role cannot be on the same server. Edge Server requires a dedicated server. Moving CAS role to dmz is not such a good option. \
No matter what the firewall guys tell you, they need to open port 443 for Communication either with Exchange or ISA. So in my opinion it is just a gimmick. But still you can use the CAS server in DMZ.
Following quotes are from Microsoft
"You should NOT put CAS in the DMZ.  It's not a scenario we test, support, or recommend.  CAS isn't designed to live there.  ISA is designed to work in the DMZ.  You can put ISA there, and have it connect to the CAS in your internal network. "


>> So my question is, what is the best option

There is only really one option, and that is the ISA Server option in the DMZ. With the exception of the Edge Transport role, none of the other Exchange 2007 roles are designed or intended to be located in the DMZ. If you located your CAS there, you would actually REDUCE the security of your network compared to your current configuration, because you have to open a ton of sensitive ports between the DMZ and the internal network. Please see my article here at EE for more details on why this is a problem: http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Why-you-shouldn't-put-an-Exchange-Server-in-the-DMZ.html.

You cannot place the CAS onto the Edge box because that machine is not joined to the domain. Yes, you could virtualise it, but see above for the security reasons why you shouldn't.

If you don't want or cannot afford to go down the ISA route, most Exchange administrators would prefer to keep the CAS on the internal network, published through a port 443 firewall rule.

KozznAuthor Commented:
Thanks for the info.

I'm going to keep the CAS in my internal network.

The problem is the connection from internet to Exchange 2007 for our Iphones...
Iphone connects to OWA for mail syncronisation.

If I want to publish OWA through the firewall through port 443 (or another port 8443), where do i have to config these settings in exchange?

If publishing through the firewall will not be permited, and ISA is our only option, which version do I have to buy?
What about the price for the isa license?
It's only for the iphone connection, we must see if it's that worth..



The iPhones will need port 443 open to connect.

You can publish Exchange through either ISA 2006 or Forefront Threat Management Gateway (TMG) 2010, the new version of ISA. You are obviously going to need another box and Windows Server license for those products to sit on. Depending on where you obtain your licenses, you might be looking at $1000+.

Frankly, if deploying ISA/TMG is only going to be for iPhone usage, I cannot see the cost can be justified. You aren't creating any MAJOR security holes in your firewall by opening 443 to the CAS box -- they certainly aren't holes which would make me lose sleep at night.

KozznAuthor Commented:
Thx for the info, i have reasons/info enough to go for the publishing through 443 on our firewall.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now