Exchange CAS 2010 - does it need to be internet facing - ie public IP

Posted on 2012-03-28
Last Modified: 2012-07-01
Im trying to figure what i do for A record in public DNS for autodiscover

public dns =

internal =

what IP do i use to match up in my public DNS - i have all roles on 1 internal AD exchnage server. searching net tells me i put the "public facing" ip of the exchange server - I have not got 1?

Im trying to setup TMG active sync rule - TMG has one DMZ interface - its failing with unauthorized 401 - ive done the internal a record and srv record for autodiscover - but not external dns
Question by:philb19

Author Comment

ID: 37777302
i get green tick with test of tmg active synch rule - but error 401

phone test get invalid username password
LVL 10

Expert Comment

ID: 37777308
Normally, you would create a NAT rule in your firewall pointing a public IP address to your CAS server, and use that public IP for your DNS entries.  What kind of firewall so you have?

Author Comment

ID: 37777326
ok thanks i have a pix 515

so nat what public ip - ? the public IP =

is it easier - or an option to put a cas ex10 srver in the dmz
LVL 10

Expert Comment

ID: 37777354
You can put the CAS server in the DMZ, but you still have to NAT it.  How many public Ip addresses do you have?  have you ever assinged one to OWA>  If so use that one.  do you have PDM or are you relying on CLI do manage your firewall?

Expert Comment

ID: 37777366
Records for exchange,
your ISP should give you an public ip that ties to the internal ip. Once this is done the company that hosts the public domain needs to create a records for,, ptr records, and (ISP will need create reverse dns records for public facing IP)  Then in the firewall you need to use NAT rule that ties to the public ip as "SuperTaco" suggested the allows internal workstations to talk to the public Ip/domain (

Also you can run a test on exchange using
Use to check for PTR and Reverse DNS  for exchange.
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 37777385
Supertaco, having a CAS in the DMZ is not supported and it is not how it works in 2010.

Phil, you should point the autodiscover public A record to the firewall IP (PIX in your case) and then get PIX to forward port 443 traffic on that IP to the TMG server in DMZ (if you configure tmg fully).

If not, forward it to your CAS server internally.
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.


Author Comment

ID: 37777397
thanks i use both pdm and cli

my big issue really - and im lost and tearing my hair out - is activesync and TMG rule
this was easy with isa2006 and ex7

now with ex10 - its one ex10 server - all roles  TMG in dmz - created the rule - i get a green tick but error 401 unauthorised and that error i get when i use MS connectivity tool - passes everyhting - but 401 on the end - im not even sure if autodiscover has anything to do with it - when i use the connectivity tool - i dont choose autodiscover and it still fails - when i manual in the username and password - if you can help me to get this working id really appreciate it - its not SAN cert related as those tests all pass

as i say with ex07 i never had the cas role in dmz - so why should i do that with ex10 - thanks

Author Comment

ID: 37777494
" Phil, you should point the autodiscover public A record to the firewall IP (PIX in your case) and then get PIX to forward port 443 traffic on that IP to the TMG server in DMZ (if you configure tmg fully).

THANKS - is this why activesync rule is failing? - because of autodiscover - im not sure how the 2 relate TMG and autodiscover? does the active sync fail without autodiscover in public DNS? this wasnt needed with ex07?

when you say firewall IP - i have 12 public IP's in DMZ  (TMG server 1 of these)- do you mean a particular 1? - the outside interface of PIX? - fi have other service that use 443 citrix and webmail on ex07 - im afraid of breaking them (they dont use tmg) so i dont want to be forwarding all 443 to tmg - or am i misunderstanding - thanks for help
LVL 10

Expert Comment

ID: 37777501
As previously mentioned (not by me) you shouldn't.  I didn't realize Ex2010 was supporte din the DMZ, I mostly deal with SBS.  did you migrate the server before you had the PIX in?  If so you may have to make some adjustments in exchange

Author Comment

ID: 37777530
pix been in foy years - i just installed ex10 on internal lan

tmg rules for Activesync and webmail to ex10 not working errror 401

isa2006 to asynch and webmail to ex07 mailboxes is fine

i have both ex07 with isa2006 and ex10 with tmg 2010 - the latter not working

Expert Comment

ID: 37804764
First of all, you have 2 option.

Either to NAT a public IP into the private IP of your Ex2010 server and just open ports 25, 80 and 443 (that is the easiest solution).

Or the second option: to publish all Exchange services trough the TMG.

If you choose the second option, Exchange server is not NAT'ed, it just have an internal IP. What you basically do, is that you NAT (publish) all the Exchange services on the TMG (which has 2 nics, 1 in DMZ and 1 on the internal network).

A simple walktrough of TMG and Exchange is here:

Accepted Solution

philb19 earned 0 total points
ID: 37804802
ive sorted this out - using tmg rule - i didnt have cas internet facing url specified correctly on the exch server

Author Closing Comment

ID: 38142557
fixed myself

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now