Solved

Exchange 2010 configuration quesation

Posted on 2011-02-22
9
435 Views
Last Modified: 2012-05-11
My question is this.  I am beginning my upgrade from Exchange 2003 to Exchange 2010.  Currently our 2003 configuration is a front-end/back-end setup with the the front-end server hosting OWA access.  I know that Microsoft does not support the CAS server being in the DMZ and they want you to use a proxy such as ISA or TMG.  My boss, however, is pushing me to put the CAs server in the DMZ anyway.  Our firewall can open ports by application and we won't have to open a bunch of random ports just tell it to let active directory access from the CAS server to the inside.  I don't want to do this so I need some data to support not putting the CAS server in the DMZ.  Besides the fact that it's unsupported and Microsoft won't help if we ever need to call them.
0
Comment
Question by:UMPH_User
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 12

Expert Comment

by:Nenadic
ID: 34952547
Is your DMZ "on the side" (i.e. a single firewall) or a full DMZ between two firewalls.  The latter would make it slightly more complicated, but the bottom line is that you don't need to have CAS in DMZ to make it work.  As long as you open up correct ports and set up appropriate NAT rules (twice if you have two firewalls), you can access your Exchange externally.

Which services are you planning to use: OWA (and ECP), ActiveSync (mobile devices), Outlook Anywhere (connectivity from MS Outlook, rather than purely from web browsers?
0
 
LVL 42

Accepted Solution

by:
Amit earned 250 total points
ID: 34952785
0
 
LVL 42

Expert Comment

by:Amit
ID: 34952841
CAS is same in 2010 and 2007 so you can take this back to ur boss and tell the story.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 42

Expert Comment

by:Amit
ID: 34952854
0
 

Author Comment

by:UMPH_User
ID: 34953003
Nenadic,
I know that CAS server does not NEED to be in the DMZ but my boss is worried about security and  us being PCI compliant.  I'm only planning on having OWA and activesync.  Again, I know what I CAN do I'm more worried about what I SHOULD do.
0
 
LVL 12

Expert Comment

by:Nenadic
ID: 34953242
Hi UMPH_User: I didn't mean to lecture. It was merely a request for some extra information, in order to provide the best possible suggestion for the way forward.

Putting CAS in DMZ is not recommended and serves no particular purpose, as you are forcing the firewall to pass RPC traffic, which is neither secure nor easy.

For OWA and EAS, all you only need to open is port TCP:443 and ensure you have proper address mappings. You can use Forms Based Authentication for OWA as you are going directly to the CAS (no server publishing).
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34954090
To be honest, there aren't any major additional reasons over and above those already given and discussed. The fact that your internal firewall can act dynamically is fine from a functional point-of-view but it is not secure. Having to open ANY port over and above those actually needed for the process to work obviously increases the attack surface but you already know this.
0
 

Author Comment

by:UMPH_User
ID: 34974427
OK guys thanks for all the input.  I have convinced my boss to let me put the CAS server on the inside and get TMG 2010 as a proxy.  One last question.....Where does my new OWA Certificate go?  On the new CAS server or on the proxy?
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 250 total points
ID: 34974485
Installed on the IIS server - then re-export it with the private key and then immport it into the FTMG server - local machine account personal store. If you have a separate intermediate cert then import that into FTMG as well in the intermediate store.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root …
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question