Solved

EXCHANGE 2010 CAS SERVER IN DMZ

Posted on 2010-09-21
24
2,965 Views
Last Modified: 2012-05-10
Hello all, currently we have an Exchange 2003 FRONT END server that does handles outside mail, OWA, and Active Sync.  Why wouldn't we put a CAS server to do the same thing? I know we can do a EDGE server but if I have to open the ports for OWA, and Active Sync anyway why not in the DMZ rather than inside my network?

Note: that only Postini Spam Services can connect via port 25.  Thanks!!
0
Comment
Question by:jaffelaw
24 Comments
 
LVL 26

Expert Comment

by:e_aravind
ID: 33727487
1. 270836 Exchange Server static port mappings
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;270836>

Limitations of Exchange Server static port mappings
The following list describes some of the limitations of Exchange Server static port
mappings:

Microsoft Exchange Server 2007
In this article, the process for static port mapping for Exchange Server 2003 and
Exchange 2000 Server still works in Exchange 2007. However, installation of a
Client Access server in a perimeter network is not supported. It is not supported
to put a Client Access Server in a perimeter network (also known as DMZ,
demilitarized zone, and screened subnet), or in any configuration with a firewall
between it and the mailbox or domain controllers. Firewall ports that must be open
for Exchange 2007

Note Installation of a Client Access server in a perimeter network is not
supported. When no firewalls are between the Exchange 2007 servers, the Exchange
2007 servers should communicate freely with one another. The firewall should be
between the production environment and the clients


2. <http://blogs.msdn.com/brad_hughes/archive/2008/05/05/how-not-to-deploy-client-ac
cess-servers.aspx>
How NOT to Deploy Client Access Servers


3. <http://msexchangeteam.com/archive/2009/10/21/452929.aspx>
Don't put CAS in the Perimeter network!

As you start planning for deploying an E2007/E2010 CAS server in the perimeter
network, you quickly notice that there is no documentation for how to do this
though. You will probably even find the TechNet documentation which explains this
is explicitly not supported by Microsoft. Microsoft doesn't test or support any
topologies which put firewalls between a CAS and a Mailbox (MBX) server.
0
 

Author Comment

by:jaffelaw
ID: 33727611
Ok. So the supported method is to install an Edge for mail delivery and incoming scanning ie forefront. Than open the ports for owa and activesync in the firewall for the CAS server?  We are planning on having 1 CAS server which will also be the DB server.

What ports are needed for active sync?  

Thanks
0
 

Author Comment

by:jaffelaw
ID: 33727643
Also will installing my first exchange 2010 server and defining the web address of my external owa and active sync during the install won't screw up incoming mail? Or OWA?  As long as the IP is different?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728113
Well, I will give you a proper answer instead of a bunch of links.

Microsoft do not support any sort of Exchange Server in the DMZ apart from the Edge Trqansport role which is designed for cleansing.

Simply opening port 443 for OWA, ActiveSync, Outlook Anywhere from the internet to your internal CAS server is sufficient and the recommended method to achieve this.

If you use Postini then simply only allow this server through your firewall on port 2 to whatever will be running your Hub Transport role if you don't plan to use the Edge Transport server.
0
 

Author Comment

by:jaffelaw
ID: 33728133
Thanks, we will be using an EDGE.  Thanks!!!

Any disruption to incoming mail, iphones or OWA if we install the first typical exchange server with cas mailbox etc..?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728168
If you are migrating from Exchange 2003 and there will be a prolonged period of transition then you will need to ensure that both URL's are available from the internet and the LegacyURL has been specified on the Exchange 2010 server.

This may well involve to IP addresses if you use SSL on both servers.
0
 

Author Comment

by:jaffelaw
ID: 33728240
What if both URLs are the same name?  Do we put both IP addresses in DNS? And the legacyURL can be what?

so if our owa server was mail.server.com does our new exchange 2010 server have to be mail.server.com during the install where you enter in a domain name?

and where does the legacyurl get entered?

Yes this will be a prolonged transition period.  I'm not so concerned about OWA, but more so the active sync phones.
0
 
LVL 8

Expert Comment

by:agentmik
ID: 33728362
agreed with demazter...

Check the below link this will guide you througout the transition process...

http://www.simple-talk.com/sysadmin/exchange/upgrade-exchange-2003-to-exchange-2010/

Its explained quite good with examples & diagrams.

Thanks
AgentMIK
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728400
you will need another URL for OWA 2010, and the legacyURL will then be the OWA2003 URL.

Exchange 2010 does not proxy for Exchange 2003 it redirects therfore both URL's need to be available at the same time.
0
 

Author Comment

by:jaffelaw
ID: 33728409
I'm a little worried, that once we install the new 2010 server it will then be the owner of OWA, mail routing etc...Is that the case? Or is it only the case for the users that will be moved?

Or until I make my change in dns anyone who's on 2003 that connects to owa.domain.com will be routed appropriatley?

0
 

Author Comment

by:jaffelaw
ID: 33728447
OK, so I will create a new 2010 domain called mail.domain.com and my old 2003 will be owa.domain.com and the 2003 will be the legacy domain?  

Thanks for all your help
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728464
yes, that will do it :)
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 

Author Comment

by:jaffelaw
ID: 33728485
dmazter, the new exchange 2010 will be basically dormant until i make my changes and move users? once I install it there will be no disruption to current users using outlook, owa or their active sync phones?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728492
no, they will all still function as is, the only time you need to worry is when you start moving users to Exchange 2010, this is when you need the LegacyURL and access to both servers from the internet.
0
 

Author Comment

by:jaffelaw
ID: 33728552
Perfect!!!  Thanks. I will move myself and a few others first  

Once it works for me do I give everyone the new domain name?  Or point it to the new server and let 2010 decide where to redirect them?

And then start moving them at that time?  
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728573
You mean the new URL?
What you may want to do is use the existing URL for Exchange 2010 (change port 443 so it forwards to the 2010 server instead of the 2003 one) then create a new one mail.domainname.com and point this to the 2003 server.

This way you can add the new URL pointing to the 2003 server as the legacy URL and clients will be none the wiser.  Exchange 2010 will redirect to the new URL automatically.
0
 

Author Comment

by:jaffelaw
ID: 33728697
Good idea!!  But before I make any dns changes test using it internally?  Owa isn't as big as activesync. So as long as 443 is open to 2010 then active sync will work regardless if their mailbox is on 2010?  Thanks

Our current firewall has 80 and 443 open so we shouldn't have any connection issues to the new server.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728714
Yes, absolutely test internally first.
And key, make sure you keep notes about what you are doing so you can reverse it if it all goes pear shapred.

There is no requirement for port 80.
0
 

Author Comment

by:jaffelaw
ID: 33728736
Thank you very very much.
0
 

Author Comment

by:jaffelaw
ID: 33728828
Oh last thing. Once the 2010 server is the primary server the mobile phones will continue to work since the domain name didn't change? Reargardless of which server their mailbox is on?  Thanks again
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33728836
yes, correct, ActiveSync will work without any problems.
0
 

Author Comment

by:jaffelaw
ID: 33728868
Sounds easy enough :))
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
ID: 33756973
You know you have accepted your own answer as the solution?
0
 

Author Comment

by:jaffelaw
ID: 33756998
I just posted something else about Active Sync.  Do you know why I can't connect? I created a test user and I was able to connect via my iphone, but I can't connect after I moved my account.  I made sure I am enabled for active sync.

Thanks
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now