Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Exchange 2010 DMZ query

Posted on 2012-03-20
2
Medium Priority
?
1,041 Views
Last Modified: 2012-03-21
Hi

I am planning to upgrade to Exchange 2010. I need some help understanding my options for configuring OWA and Active sync connections to come in securely from the Internet.

As I currently understand it, we can have a single server on the domain hosting the mailbox, hub and client access server roles.

If we want OWA and Activesync, we could publish port 443 out through the firewall, however to be secure, this should be done with a system in the DMZ. I'm reading about the Edge Transport Role, Threat Management Gateway and Forefront Protection - which of these do I need?

I currently have a good anti-spam and anti-virus appliance in my DMZ which doesn't need replacing. I want to route the mail through this device.

What is the best way to route OWA and Activesync connections leaving my existing anti-spam/AV appliance in place? I believe I need a reverse-proxy system so I'm not exposing my internal network to the internet directly. In this case, I think all I need is the Edge Transport Role...does this sound correct?
0
Comment
Question by:failed
2 Comments
 
LVL 5

Accepted Solution

by:
kollenh earned 1600 total points
ID: 37743573
The Edge role is only for SMTP, not OWA or Activesync services.  Basically an Edge server does what your appliance already does so it sounds like you don't really need one.

Yes, you can publish 443 through the firewall and it will work; it's an accepted solution but probably not best practice, particularly when you're mailboxes are hosted on the same server.  The risk is slightly mitigated with split roles.

The other option is a proxy server such as ISA to be the intermediary so you're not exposing the Exchange server.

HTH
0
 
LVL 10

Assisted Solution

by:Michael Ian Claridge
Michael Ian Claridge earned 400 total points
ID: 37744004
Publish the OWA URL through TMG.
But note I am in agreement with the comments above, TMG is essentially x64 ISA.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Among the most obnoxious of Exchange errors is error 1216 – Attached Database Mismatch error of the Jet Database Engine. When faced with this error, users may have to suffer from mailbox inaccessibility and in worst situations, permanent data loss.
In this post, we will learn to set up the Group Naming policy and will see how it is going to impact the Display Name and the Email addresses of the Group.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question