EXCHANGE 2010 CAS SERVER IN DMZ

Hello all, currently we have an Exchange 2003 FRONT END server that does handles outside mail, OWA, and Active Sync.  Why wouldn't we put a CAS server to do the same thing? I know we can do a EDGE server but if I have to open the ports for OWA, and Active Sync anyway why not in the DMZ rather than inside my network?

Note: that only Postini Spam Services can connect via port 25.  Thanks!!
jaffelawAsked:
Who is Participating?
 
Glen KnightConnect With a Mentor Commented:
You know you have accepted your own answer as the solution?
0
 
e_aravindCommented:
1. 270836 Exchange Server static port mappings
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;270836

Limitations of Exchange Server static port mappings
The following list describes some of the limitations of Exchange Server static port
mappings:

Microsoft Exchange Server 2007
In this article, the process for static port mapping for Exchange Server 2003 and
Exchange 2000 Server still works in Exchange 2007. However, installation of a
Client Access server in a perimeter network is not supported. It is not supported
to put a Client Access Server in a perimeter network (also known as DMZ,
demilitarized zone, and screened subnet), or in any configuration with a firewall
between it and the mailbox or domain controllers. Firewall ports that must be open
for Exchange 2007

Note Installation of a Client Access server in a perimeter network is not
supported. When no firewalls are between the Exchange 2007 servers, the Exchange
2007 servers should communicate freely with one another. The firewall should be
between the production environment and the clients


2. <http://blogs.msdn.com/brad_hughes/archive/2008/05/05/how-not-to-deploy-client-ac
cess-servers.aspx>
How NOT to Deploy Client Access Servers


3. <http://msexchangeteam.com/archive/2009/10/21/452929.aspx
Don't put CAS in the Perimeter network!

As you start planning for deploying an E2007/E2010 CAS server in the perimeter
network, you quickly notice that there is no documentation for how to do this
though. You will probably even find the TechNet documentation which explains this
is explicitly not supported by Microsoft. Microsoft doesn't test or support any
topologies which put firewalls between a CAS and a Mailbox (MBX) server.
0
 
jaffelawAuthor Commented:
Ok. So the supported method is to install an Edge for mail delivery and incoming scanning ie forefront. Than open the ports for owa and activesync in the firewall for the CAS server?  We are planning on having 1 CAS server which will also be the DB server.

What ports are needed for active sync?  

Thanks
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
jaffelawAuthor Commented:
Also will installing my first exchange 2010 server and defining the web address of my external owa and active sync during the install won't screw up incoming mail? Or OWA?  As long as the IP is different?
0
 
Glen KnightCommented:
Well, I will give you a proper answer instead of a bunch of links.

Microsoft do not support any sort of Exchange Server in the DMZ apart from the Edge Trqansport role which is designed for cleansing.

Simply opening port 443 for OWA, ActiveSync, Outlook Anywhere from the internet to your internal CAS server is sufficient and the recommended method to achieve this.

If you use Postini then simply only allow this server through your firewall on port 2 to whatever will be running your Hub Transport role if you don't plan to use the Edge Transport server.
0
 
jaffelawAuthor Commented:
Thanks, we will be using an EDGE.  Thanks!!!

Any disruption to incoming mail, iphones or OWA if we install the first typical exchange server with cas mailbox etc..?
0
 
Glen KnightCommented:
If you are migrating from Exchange 2003 and there will be a prolonged period of transition then you will need to ensure that both URL's are available from the internet and the LegacyURL has been specified on the Exchange 2010 server.

This may well involve to IP addresses if you use SSL on both servers.
0
 
jaffelawAuthor Commented:
What if both URLs are the same name?  Do we put both IP addresses in DNS? And the legacyURL can be what?

so if our owa server was mail.server.com does our new exchange 2010 server have to be mail.server.com during the install where you enter in a domain name?

and where does the legacyurl get entered?

Yes this will be a prolonged transition period.  I'm not so concerned about OWA, but more so the active sync phones.
0
 
Mohammad Ishtyaq KhatriCommented:
agreed with demazter...

Check the below link this will guide you througout the transition process...

http://www.simple-talk.com/sysadmin/exchange/upgrade-exchange-2003-to-exchange-2010/

Its explained quite good with examples & diagrams.

Thanks
AgentMIK
0
 
Glen KnightCommented:
you will need another URL for OWA 2010, and the legacyURL will then be the OWA2003 URL.

Exchange 2010 does not proxy for Exchange 2003 it redirects therfore both URL's need to be available at the same time.
0
 
jaffelawAuthor Commented:
I'm a little worried, that once we install the new 2010 server it will then be the owner of OWA, mail routing etc...Is that the case? Or is it only the case for the users that will be moved?

Or until I make my change in dns anyone who's on 2003 that connects to owa.domain.com will be routed appropriatley?

0
 
jaffelawAuthor Commented:
OK, so I will create a new 2010 domain called mail.domain.com and my old 2003 will be owa.domain.com and the 2003 will be the legacy domain?  

Thanks for all your help
0
 
Glen KnightCommented:
yes, that will do it :)
0
 
jaffelawAuthor Commented:
dmazter, the new exchange 2010 will be basically dormant until i make my changes and move users? once I install it there will be no disruption to current users using outlook, owa or their active sync phones?
0
 
Glen KnightCommented:
no, they will all still function as is, the only time you need to worry is when you start moving users to Exchange 2010, this is when you need the LegacyURL and access to both servers from the internet.
0
 
jaffelawAuthor Commented:
Perfect!!!  Thanks. I will move myself and a few others first  

Once it works for me do I give everyone the new domain name?  Or point it to the new server and let 2010 decide where to redirect them?

And then start moving them at that time?  
0
 
Glen KnightCommented:
You mean the new URL?
What you may want to do is use the existing URL for Exchange 2010 (change port 443 so it forwards to the 2010 server instead of the 2003 one) then create a new one mail.domainname.com and point this to the 2003 server.

This way you can add the new URL pointing to the 2003 server as the legacy URL and clients will be none the wiser.  Exchange 2010 will redirect to the new URL automatically.
0
 
jaffelawAuthor Commented:
Good idea!!  But before I make any dns changes test using it internally?  Owa isn't as big as activesync. So as long as 443 is open to 2010 then active sync will work regardless if their mailbox is on 2010?  Thanks

Our current firewall has 80 and 443 open so we shouldn't have any connection issues to the new server.
0
 
Glen KnightCommented:
Yes, absolutely test internally first.
And key, make sure you keep notes about what you are doing so you can reverse it if it all goes pear shapred.

There is no requirement for port 80.
0
 
jaffelawAuthor Commented:
Thank you very very much.
0
 
jaffelawAuthor Commented:
Oh last thing. Once the 2010 server is the primary server the mobile phones will continue to work since the domain name didn't change? Reargardless of which server their mailbox is on?  Thanks again
0
 
Glen KnightCommented:
yes, correct, ActiveSync will work without any problems.
0
 
jaffelawAuthor Commented:
Sounds easy enough :))
0
 
jaffelawAuthor Commented:
I just posted something else about Active Sync.  Do you know why I can't connect? I created a test user and I was able to connect via my iphone, but I can't connect after I moved my account.  I made sure I am enabled for active sync.

Thanks
0
All Courses

From novice to tech pro — start learning today.