Exchange 2010 OWA & ActiveSync for internet
I have a single Exchange 2010 server which has all roles (except edge obviously) installed. I know that the best way to secure my OWA & ActiveSync for internet clients is to create a second CAS server and setup the appropriate firewall rules (port 80 and 443 for OWA, what ports are needed for ActiveSync?) and point it to it.
My question is this...
Are there security concerns by having everything on the same server and only opening up the ports for OWA and ActiveSync that are needed?
If yes, will this work if I have a Linux proxy server in front of it to forward the ports for Active Sync and OWA?
Thanks
My question is this...
Are there security concerns by having everything on the same server and only opening up the ports for OWA and ActiveSync that are needed?
If yes, will this work if I have a Linux proxy server in front of it to forward the ports for Active Sync and OWA?
Thanks
Well there are ALWAYS going to be security concerns when you open your systems to the world, that's the inherent nature of things. Most of these concerns come from the Sales guy with the password of "password".
However, with due diligence the security concerns can be negligible in relation to the benefit provided by wide-area Exchange access.
You might consider Microsoft's Forefront Threat Management Gateway as this system includes a built-in IDS and reverse proxy and one of its main FEATURES is exposing Exchange to the web.
But otherwise a Linux proxy WOULD work (might consider using snort as an inline IPS)
However, with due diligence the security concerns can be negligible in relation to the benefit provided by wide-area Exchange access.
You might consider Microsoft's Forefront Threat Management Gateway as this system includes a built-in IDS and reverse proxy and one of its main FEATURES is exposing Exchange to the web.
But otherwise a Linux proxy WOULD work (might consider using snort as an inline IPS)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Forefront Threat Management Gateway isn't an option for me due to expense and the fact that I already have another Antivirus product for Exchange.
FTMG is good - but Expensive. We use it and it keeps us safe, but another server plus license for Exchange plus FTMG - and you end up broke!
FTMG has nothing to do with the antivirus FTMG and FPE (ForeFront protection for exchange) are totally different products.
you don't need FTMG any reverse proxy would do
you don't need FTMG any reverse proxy would do
You are very fine with just one server.
The only port you need to open is the port 443 that's it for owa activesync and outlook anywerher
if you want extra security then you should think of investing in a reverse proxy like TMG/ISA and use the latter as the reach point for your internet users