Anyone running Exchange 2010 SP1 with 1:1 NAT public IP to the CAS array IP instead of TMG

We would like to migrate from Exchange 2003 to 2010 by doing the following configuration:
1:1 NAT public IP to the CAS array IP
2 servers - > with CAS (WNLB) and HUB configured
2 servers -> MBX with DAG
Anyone running something like the above scenario in a production env.? For the scenario above what is going to be the downside of not using a TMG server?

Who is Participating?
AkhaterConnect With a Mentor Commented:
Although not the ideal scenario your setup would be good enough for most companies.

From a security perspective a TMG would get your connections to be ended on the proxy servers and not on the exchange server which is a great security enhancement but opening port 443 from the internet to an internal server is not that much of a big deal unless you have very tight security policies.

if you are a "simple" company then there is nothing wrong at all doing this
Suliman Abu KharroubIT Consultant Commented:
TMG provides exchange with an application filters for SMTP/HTTP/S. with out TMG for sure the security level is lower.

By publishing exchange services through TMG/ISA (reverse proxy), TMG filter the traffic and analyzing it then proceed it according to the setting configure on the publish rule. without TMG traffic goes directly to the exchange server which could be a kind of attack traffic.
llaravaAuthor Commented:

I understand that over 6000$ per CPU per server (Enterprise in order to build an array)  are going to give you a layer of security.

The question is besides relaxing the security what else am I going to lose? Any features?  

Is anyone out there running his production env without TMG or ISA?

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Suliman Abu KharroubIT Consultant Commented:
I have a client running exchange with only windows firewall enabled - public IP is assigned in the exchange server itself-.

It is running since 5 years, nothing happened (no attacks), but no one can know when it will be attacked !
llaravaAuthor Commented:
Is this configuration supported by MS? It's my understanding that as long as your CAS server is not placed in the DMZ you the configuration is supported.
Suliman Abu KharroubIT Consultant Commented:
Yes it is supported, but not secured at all.
I forgot to add that yes the configuration is supported by MS
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.