?
Solved

Exchange 2010 DMZ query

Posted on 2012-03-20
2
Medium Priority
?
1,036 Views
Last Modified: 2012-03-21
Hi

I am planning to upgrade to Exchange 2010. I need some help understanding my options for configuring OWA and Active sync connections to come in securely from the Internet.

As I currently understand it, we can have a single server on the domain hosting the mailbox, hub and client access server roles.

If we want OWA and Activesync, we could publish port 443 out through the firewall, however to be secure, this should be done with a system in the DMZ. I'm reading about the Edge Transport Role, Threat Management Gateway and Forefront Protection - which of these do I need?

I currently have a good anti-spam and anti-virus appliance in my DMZ which doesn't need replacing. I want to route the mail through this device.

What is the best way to route OWA and Activesync connections leaving my existing anti-spam/AV appliance in place? I believe I need a reverse-proxy system so I'm not exposing my internal network to the internet directly. In this case, I think all I need is the Edge Transport Role...does this sound correct?
0
Comment
Question by:failed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 5

Accepted Solution

by:
kollenh earned 1600 total points
ID: 37743573
The Edge role is only for SMTP, not OWA or Activesync services.  Basically an Edge server does what your appliance already does so it sounds like you don't really need one.

Yes, you can publish 443 through the firewall and it will work; it's an accepted solution but probably not best practice, particularly when you're mailboxes are hosted on the same server.  The risk is slightly mitigated with split roles.

The other option is a proxy server such as ISA to be the intermediary so you're not exposing the Exchange server.

HTH
0
 
LVL 10

Assisted Solution

by:Michael Ian Claridge
Michael Ian Claridge earned 400 total points
ID: 37744004
Publish the OWA URL through TMG.
But note I am in agreement with the comments above, TMG is essentially x64 ISA.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
This article outlines some of the reasons why an email message gets flagged as spam on a recipient's end.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month10 days, 4 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question