Solved

EXCHANGE 2010 CAS SERVER IN DMZ

Posted on 2010-09-21
24
2,976 Views
Last Modified: 2012-05-10
Hello all, currently we have an Exchange 2003 FRONT END server that does handles outside mail, OWA, and Active Sync.  Why wouldn't we put a CAS server to do the same thing? I know we can do a EDGE server but if I have to open the ports for OWA, and Active Sync anyway why not in the DMZ rather than inside my network?

Note: that only Postini Spam Services can connect via port 25.  Thanks!!
0
Comment
Question by:jaffelaw
24 Comments
 
LVL 26

Expert Comment

by:e_aravind
ID: 33727487
1. 270836 Exchange Server static port mappings
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;270836

Limitations of Exchange Server static port mappings
The following list describes some of the limitations of Exchange Server static port
mappings:

Microsoft Exchange Server 2007
In this article, the process for static port mapping for Exchange Server 2003 and
Exchange 2000 Server still works in Exchange 2007. However, installation of a
Client Access server in a perimeter network is not supported. It is not supported
to put a Client Access Server in a perimeter network (also known as DMZ,
demilitarized zone, and screened subnet), or in any configuration with a firewall
between it and the mailbox or domain controllers. Firewall ports that must be open
for Exchange 2007

Note Installation of a Client Access server in a perimeter network is not
supported. When no firewalls are between the Exchange 2007 servers, the Exchange
2007 servers should communicate freely with one another. The firewall should be
between the production environment and the clients


2. <http://blogs.msdn.com/brad_hughes/archive/2008/05/05/how-not-to-deploy-client-ac
cess-servers.aspx>
How NOT to Deploy Client Access Servers


3. <http://msexchangeteam.com/archive/2009/10/21/452929.aspx
Don't put CAS in the Perimeter network!

As you start planning for deploying an E2007/E2010 CAS server in the perimeter
network, you quickly notice that there is no documentation for how to do this
though. You will probably even find the TechNet documentation which explains this
is explicitly not supported by Microsoft. Microsoft doesn't test or support any
topologies which put firewalls between a CAS and a Mailbox (MBX) server.
0
 

Author Comment

by:jaffelaw
ID: 33727611
Ok. So the supported method is to install an Edge for mail delivery and incoming scanning ie forefront. Than open the ports for owa and activesync in the firewall for the CAS server?  We are planning on having 1 CAS server which will also be the DB server.

What ports are needed for active sync?  

Thanks
0
 

Author Comment

by:jaffelaw
ID: 33727643
Also will installing my first exchange 2010 server and defining the web address of my external owa and active sync during the install won't screw up incoming mail? Or OWA?  As long as the IP is different?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728113
Well, I will give you a proper answer instead of a bunch of links.

Microsoft do not support any sort of Exchange Server in the DMZ apart from the Edge Trqansport role which is designed for cleansing.

Simply opening port 443 for OWA, ActiveSync, Outlook Anywhere from the internet to your internal CAS server is sufficient and the recommended method to achieve this.

If you use Postini then simply only allow this server through your firewall on port 2 to whatever will be running your Hub Transport role if you don't plan to use the Edge Transport server.
0
 

Author Comment

by:jaffelaw
ID: 33728133
Thanks, we will be using an EDGE.  Thanks!!!

Any disruption to incoming mail, iphones or OWA if we install the first typical exchange server with cas mailbox etc..?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728168
If you are migrating from Exchange 2003 and there will be a prolonged period of transition then you will need to ensure that both URL's are available from the internet and the LegacyURL has been specified on the Exchange 2010 server.

This may well involve to IP addresses if you use SSL on both servers.
0
 

Author Comment

by:jaffelaw
ID: 33728240
What if both URLs are the same name?  Do we put both IP addresses in DNS? And the legacyURL can be what?

so if our owa server was mail.server.com does our new exchange 2010 server have to be mail.server.com during the install where you enter in a domain name?

and where does the legacyurl get entered?

Yes this will be a prolonged transition period.  I'm not so concerned about OWA, but more so the active sync phones.
0
 
LVL 8

Expert Comment

by:agentmik
ID: 33728362
agreed with demazter...

Check the below link this will guide you througout the transition process...

http://www.simple-talk.com/sysadmin/exchange/upgrade-exchange-2003-to-exchange-2010/

Its explained quite good with examples & diagrams.

Thanks
AgentMIK
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728400
you will need another URL for OWA 2010, and the legacyURL will then be the OWA2003 URL.

Exchange 2010 does not proxy for Exchange 2003 it redirects therfore both URL's need to be available at the same time.
0
 

Author Comment

by:jaffelaw
ID: 33728409
I'm a little worried, that once we install the new 2010 server it will then be the owner of OWA, mail routing etc...Is that the case? Or is it only the case for the users that will be moved?

Or until I make my change in dns anyone who's on 2003 that connects to owa.domain.com will be routed appropriatley?

0
 

Author Comment

by:jaffelaw
ID: 33728447
OK, so I will create a new 2010 domain called mail.domain.com and my old 2003 will be owa.domain.com and the 2003 will be the legacy domain?  

Thanks for all your help
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728464
yes, that will do it :)
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:jaffelaw
ID: 33728485
dmazter, the new exchange 2010 will be basically dormant until i make my changes and move users? once I install it there will be no disruption to current users using outlook, owa or their active sync phones?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728492
no, they will all still function as is, the only time you need to worry is when you start moving users to Exchange 2010, this is when you need the LegacyURL and access to both servers from the internet.
0
 

Author Comment

by:jaffelaw
ID: 33728552
Perfect!!!  Thanks. I will move myself and a few others first  

Once it works for me do I give everyone the new domain name?  Or point it to the new server and let 2010 decide where to redirect them?

And then start moving them at that time?  
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728573
You mean the new URL?
What you may want to do is use the existing URL for Exchange 2010 (change port 443 so it forwards to the 2010 server instead of the 2003 one) then create a new one mail.domainname.com and point this to the 2003 server.

This way you can add the new URL pointing to the 2003 server as the legacy URL and clients will be none the wiser.  Exchange 2010 will redirect to the new URL automatically.
0
 

Author Comment

by:jaffelaw
ID: 33728697
Good idea!!  But before I make any dns changes test using it internally?  Owa isn't as big as activesync. So as long as 443 is open to 2010 then active sync will work regardless if their mailbox is on 2010?  Thanks

Our current firewall has 80 and 443 open so we shouldn't have any connection issues to the new server.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728714
Yes, absolutely test internally first.
And key, make sure you keep notes about what you are doing so you can reverse it if it all goes pear shapred.

There is no requirement for port 80.
0
 

Author Comment

by:jaffelaw
ID: 33728736
Thank you very very much.
0
 

Author Comment

by:jaffelaw
ID: 33728828
Oh last thing. Once the 2010 server is the primary server the mobile phones will continue to work since the domain name didn't change? Reargardless of which server their mailbox is on?  Thanks again
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728836
yes, correct, ActiveSync will work without any problems.
0
 

Author Comment

by:jaffelaw
ID: 33728868
Sounds easy enough :))
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
ID: 33756973
You know you have accepted your own answer as the solution?
0
 

Author Comment

by:jaffelaw
ID: 33756998
I just posted something else about Active Sync.  Do you know why I can't connect? I created a test user and I was able to connect via my iphone, but I can't connect after I moved my account.  I made sure I am enabled for active sync.

Thanks
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now