Network Design - ASA5510 | Exchange 2010 | TMG 2010

Alright, I know that I'm making this more complicated than it needs to be but I'm filling in roles that I am not so great at... so...

Our company just brought in local internet (it was through a shared connection to a parent company). I have a Cisco ASA 5510 facing the Internet with security essentials for the few users that need to VPN in. I also have ~30 EZVPN connections to clients that connect directly to the ASA. I'm in the process of bringing exchange locally and am looking at how to set this up correctly, 85% of my user base uses OWA now (hosted at parent company) so a working internal and external OWA is the most critical of what I'm asking.

Our internal to external web traffic looks like this right now (Client --> ISA2006 Proxy --> ISA Web Chaining to Sophos Web filter (for logging users) --> ASA 5510 --> Cloud.

When I signed up through our ISP I got 4 external IP addresses so here is my theory (please bash this extensively). Our VPN is already hosted on x.x.x.1 address using 443 so I figured I could NAT to the second outside IP of x.x.x.2 to an internal TMG 2010 server (I've heard that it works really well with Exchange 2010). I would want the TMG to listen to http headers (I'm unsure if it does this) and I could use it to redirect web traffic to specified internal servers if so.

Most of what I'm here to ask, is if I have the right idea or if I'm completely being an idiot and over thinking everything. This is my first firewall and exchange project, so I'm willing to put myself out there and absorb as much info as I can.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You have the right idea, the TMG can do a reverse proxy for the Exchange OWA/EWS services.

You can indeed NAT one of the External IPs to this server, there's a simple wizard that you can run to set this up too.

Your Exchange OWA IP will be the IP that you bind to the TMG for your clients to connect to for Internal and External connections.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dfbonneyAuthor Commented:
I have yet to install Exchange... Should I be planning on having a separate server for just the OWA access. I'm assuming I dont want that on my actual exchange server.
As long as you have the TMG in a DMZ you'll be fine.

You do want OWA on your exchange server, the TMG will proxy the access to this for you.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.