Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange 2010 OWA & ActiveSync for internet

Posted on 2011-03-11
6
Medium Priority
?
1,253 Views
Last Modified: 2012-05-11
I have a single Exchange 2010 server which has all roles (except edge obviously) installed.  I know that the best way to secure my OWA & ActiveSync for internet clients is to create a second CAS server and setup the appropriate firewall rules (port 80 and 443 for OWA, what ports are needed for ActiveSync?) and point it to it.

My question is this...
Are there security concerns by having everything on the same server and only opening up the ports for OWA and ActiveSync that are needed?

If yes, will this work if I have a Linux proxy server in front of it to forward the ports for Active Sync and OWA?

Thanks
0
Comment
Question by:lodgingsit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 35109364
who told you the best way is to have another CAS server ??? this is not true!

You are very fine with just one server.

The only port you need to open is the port 443 that's it for owa activesync and outlook anywerher


if you want extra security then you should think of investing in a reverse proxy like TMG/ISA and use the latter as the reach point for your internet users
0
 
LVL 3

Expert Comment

by:tearman
ID: 35109367
Well there are ALWAYS going to be security concerns when you open your systems to the world, that's the inherent nature of things.  Most of these concerns come from the Sales guy with the password of "password".

However, with due diligence the security concerns can be negligible in relation to the benefit provided by wide-area Exchange access.

You might consider Microsoft's Forefront Threat Management Gateway as this system includes a built-in IDS and reverse proxy and one of its main FEATURES is exposing Exchange to the web.

But otherwise a Linux proxy WOULD work (might consider using snort as an inline IPS)
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 1000 total points
ID: 35109373
The only port you need for OWA / Activesync is 443 - HTTPS - port 80 should not be used as it is insecure.

Everything on one box is not an issue either.

I would imagine that having a Linux Proxy in front would cause you headaches and isn't strictly necessary as most SBS servers are all-in-one and don't have Proxy servers protecting them, just a firewall / router and are perfectly safe.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 1

Author Comment

by:lodgingsit
ID: 35109384
Forefront Threat Management Gateway isn't an option for me due to expense and the fact that I already have another Antivirus product for Exchange.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35109393
FTMG is good - but Expensive.  We use it and it keeps us safe, but another server plus license for Exchange plus FTMG - and you end up broke!
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35109418
FTMG has nothing to do with the antivirus FTMG and FPE (ForeFront protection for exchange) are totally different products.


you don't need FTMG any reverse proxy would do
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question