Move Exchange 2007 Client Access Role to another server in DMZ


I have a windows 2003 domain with an exchange 2007 as mailserver installed.
All exchange roles are installed on the exchange 2007 server, except the edge server, the 'edge' is installed on a windows 2008 foundation server in the DMZ zone.
Now, our company policy said that the 'OWA' can 't be published through port80/443 on our firewall to the exchange server on our LAN.

If I have to follow that policy, I read about 2 options:
ISA server installation in the DMZ or moving the exchange 'CAS' role to the DMZ.

So my question is, what is the best option (are other opions), what is possible?

I prefer to move the 'CAS' role to the DMZ, an ISA-server is again an extra license...
Can I move the 'CAS' role onto the edge server? or do I have to install a second 64bit server in the DMZ?

If it's not possible to install  it on the same server/platform as the edge, can I make an virtual 'CAS' on that server?  


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

First of All CAS Role and Edge Transport Role cannot be on the same server. Edge Server requires a dedicated server. Moving CAS role to dmz is not such a good option. \
No matter what the firewall guys tell you, they need to open port 443 for Communication either with Exchange or ISA. So in my opinion it is just a gimmick. But still you can use the CAS server in DMZ.
Following quotes are from Microsoft
"You should NOT put CAS in the DMZ.  It's not a scenario we test, support, or recommend.  CAS isn't designed to live there.  ISA is designed to work in the DMZ.  You can put ISA there, and have it connect to the CAS in your internal network. "


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

>> So my question is, what is the best option

There is only really one option, and that is the ISA Server option in the DMZ. With the exception of the Edge Transport role, none of the other Exchange 2007 roles are designed or intended to be located in the DMZ. If you located your CAS there, you would actually REDUCE the security of your network compared to your current configuration, because you have to open a ton of sensitive ports between the DMZ and the internal network. Please see my article here at EE for more details on why this is a problem:'t-put-an-Exchange-Server-in-the-DMZ.html.

You cannot place the CAS onto the Edge box because that machine is not joined to the domain. Yes, you could virtualise it, but see above for the security reasons why you shouldn't.

If you don't want or cannot afford to go down the ISA route, most Exchange administrators would prefer to keep the CAS on the internal network, published through a port 443 firewall rule.

KozznAuthor Commented:
Thanks for the info.

I'm going to keep the CAS in my internal network.

The problem is the connection from internet to Exchange 2007 for our Iphones...
Iphone connects to OWA for mail syncronisation.

If I want to publish OWA through the firewall through port 443 (or another port 8443), where do i have to config these settings in exchange?

If publishing through the firewall will not be permited, and ISA is our only option, which version do I have to buy?
What about the price for the isa license?
It's only for the iphone connection, we must see if it's that worth..



The iPhones will need port 443 open to connect.

You can publish Exchange through either ISA 2006 or Forefront Threat Management Gateway (TMG) 2010, the new version of ISA. You are obviously going to need another box and Windows Server license for those products to sit on. Depending on where you obtain your licenses, you might be looking at $1000+.

Frankly, if deploying ISA/TMG is only going to be for iPhone usage, I cannot see the cost can be justified. You aren't creating any MAJOR security holes in your firewall by opening 443 to the CAS box -- they certainly aren't holes which would make me lose sleep at night.

KozznAuthor Commented:
Thx for the info, i have reasons/info enough to go for the publishing through 443 on our firewall.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.