Solved

Exchange 2010 DMZ query

Posted on 2012-03-20
2
1,029 Views
Last Modified: 2012-03-21
Hi

I am planning to upgrade to Exchange 2010. I need some help understanding my options for configuring OWA and Active sync connections to come in securely from the Internet.

As I currently understand it, we can have a single server on the domain hosting the mailbox, hub and client access server roles.

If we want OWA and Activesync, we could publish port 443 out through the firewall, however to be secure, this should be done with a system in the DMZ. I'm reading about the Edge Transport Role, Threat Management Gateway and Forefront Protection - which of these do I need?

I currently have a good anti-spam and anti-virus appliance in my DMZ which doesn't need replacing. I want to route the mail through this device.

What is the best way to route OWA and Activesync connections leaving my existing anti-spam/AV appliance in place? I believe I need a reverse-proxy system so I'm not exposing my internal network to the internet directly. In this case, I think all I need is the Edge Transport Role...does this sound correct?
0
Comment
Question by:failed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 5

Accepted Solution

by:
kollenh earned 400 total points
ID: 37743573
The Edge role is only for SMTP, not OWA or Activesync services.  Basically an Edge server does what your appliance already does so it sounds like you don't really need one.

Yes, you can publish 443 through the firewall and it will work; it's an accepted solution but probably not best practice, particularly when you're mailboxes are hosted on the same server.  The risk is slightly mitigated with split roles.

The other option is a proxy server such as ISA to be the intermediary so you're not exposing the Exchange server.

HTH
0
 
LVL 10

Assisted Solution

by:Michael Ian Claridge
Michael Ian Claridge earned 100 total points
ID: 37744004
Publish the OWA URL through TMG.
But note I am in agreement with the comments above, TMG is essentially x64 ISA.
0

Featured Post

Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question