UMPH_User
asked on
Exchange 2010 configuration quesation
My question is this. I am beginning my upgrade from Exchange 2003 to Exchange 2010. Currently our 2003 configuration is a front-end/back-end setup with the the front-end server hosting OWA access. I know that Microsoft does not support the CAS server being in the DMZ and they want you to use a proxy such as ISA or TMG. My boss, however, is pushing me to put the CAs server in the DMZ anyway. Our firewall can open ports by application and we won't have to open a bunch of random ports just tell it to let active directory access from the CAS server to the inside. I don't want to do this so I need some data to support not putting the CAS server in the DMZ. Besides the fact that it's unsupported and Microsoft won't help if we ever need to call them.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
CAS is same in 2010 and 2007 so you can take this back to ur boss and tell the story.
ASKER
Nenadic,
I know that CAS server does not NEED to be in the DMZ but my boss is worried about security and us being PCI compliant. I'm only planning on having OWA and activesync. Again, I know what I CAN do I'm more worried about what I SHOULD do.
I know that CAS server does not NEED to be in the DMZ but my boss is worried about security and us being PCI compliant. I'm only planning on having OWA and activesync. Again, I know what I CAN do I'm more worried about what I SHOULD do.
Hi UMPH_User: I didn't mean to lecture. It was merely a request for some extra information, in order to provide the best possible suggestion for the way forward.
Putting CAS in DMZ is not recommended and serves no particular purpose, as you are forcing the firewall to pass RPC traffic, which is neither secure nor easy.
For OWA and EAS, all you only need to open is port TCP:443 and ensure you have proper address mappings. You can use Forms Based Authentication for OWA as you are going directly to the CAS (no server publishing).
Putting CAS in DMZ is not recommended and serves no particular purpose, as you are forcing the firewall to pass RPC traffic, which is neither secure nor easy.
For OWA and EAS, all you only need to open is port TCP:443 and ensure you have proper address mappings. You can use Forms Based Authentication for OWA as you are going directly to the CAS (no server publishing).
To be honest, there aren't any major additional reasons over and above those already given and discussed. The fact that your internal firewall can act dynamically is fine from a functional point-of-view but it is not secure. Having to open ANY port over and above those actually needed for the process to work obviously increases the attack surface but you already know this.
ASKER
OK guys thanks for all the input. I have convinced my boss to let me put the CAS server on the inside and get TMG 2010 as a proxy. One last question.....Where does my new OWA Certificate go? On the new CAS server or on the proxy?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Which services are you planning to use: OWA (and ECP), ActiveSync (mobile devices), Outlook Anywhere (connectivity from MS Outlook, rather than purely from web browsers?