Exchange CAS 2010 - does it need to be internet facing - ie public IP

Posted on 2012-03-28
Last Modified: 2012-07-01
Im trying to figure what i do for A record in public DNS for autodiscover

public dns =

internal =

what IP do i use to match up in my public DNS - i have all roles on 1 internal AD exchnage server. searching net tells me i put the "public facing" ip of the exchange server - I have not got 1?

Im trying to setup TMG active sync rule - TMG has one DMZ interface - its failing with unauthorized 401 - ive done the internal a record and srv record for autodiscover - but not external dns
Question by:philb19
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 37777302
i get green tick with test of tmg active synch rule - but error 401

phone test get invalid username password
LVL 10

Expert Comment

ID: 37777308
Normally, you would create a NAT rule in your firewall pointing a public IP address to your CAS server, and use that public IP for your DNS entries.  What kind of firewall so you have?

Author Comment

ID: 37777326
ok thanks i have a pix 515

so nat what public ip - ? the public IP =

is it easier - or an option to put a cas ex10 srver in the dmz
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

LVL 10

Expert Comment

ID: 37777354
You can put the CAS server in the DMZ, but you still have to NAT it.  How many public Ip addresses do you have?  have you ever assinged one to OWA>  If so use that one.  do you have PDM or are you relying on CLI do manage your firewall?

Expert Comment

ID: 37777366
Records for exchange,
your ISP should give you an public ip that ties to the internal ip. Once this is done the company that hosts the public domain needs to create a records for,, ptr records, and (ISP will need create reverse dns records for public facing IP)  Then in the firewall you need to use NAT rule that ties to the public ip as "SuperTaco" suggested the allows internal workstations to talk to the public Ip/domain (

Also you can run a test on exchange using 
Use to check for PTR and Reverse DNS  for exchange.
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 37777385
Supertaco, having a CAS in the DMZ is not supported and it is not how it works in 2010.

Phil, you should point the autodiscover public A record to the firewall IP (PIX in your case) and then get PIX to forward port 443 traffic on that IP to the TMG server in DMZ (if you configure tmg fully).

If not, forward it to your CAS server internally.

Author Comment

ID: 37777397
thanks i use both pdm and cli

my big issue really - and im lost and tearing my hair out - is activesync and TMG rule
this was easy with isa2006 and ex7

now with ex10 - its one ex10 server - all roles  TMG in dmz - created the rule - i get a green tick but error 401 unauthorised and that error i get when i use MS connectivity tool - passes everyhting - but 401 on the end - im not even sure if autodiscover has anything to do with it - when i use the connectivity tool - i dont choose autodiscover and it still fails - when i manual in the username and password - if you can help me to get this working id really appreciate it - its not SAN cert related as those tests all pass

as i say with ex07 i never had the cas role in dmz - so why should i do that with ex10 - thanks

Author Comment

ID: 37777494
" Phil, you should point the autodiscover public A record to the firewall IP (PIX in your case) and then get PIX to forward port 443 traffic on that IP to the TMG server in DMZ (if you configure tmg fully).

THANKS - is this why activesync rule is failing? - because of autodiscover - im not sure how the 2 relate TMG and autodiscover? does the active sync fail without autodiscover in public DNS? this wasnt needed with ex07?

when you say firewall IP - i have 12 public IP's in DMZ  (TMG server 1 of these)- do you mean a particular 1? - the outside interface of PIX? - fi have other service that use 443 citrix and webmail on ex07 - im afraid of breaking them (they dont use tmg) so i dont want to be forwarding all 443 to tmg - or am i misunderstanding - thanks for help
LVL 10

Expert Comment

ID: 37777501
As previously mentioned (not by me) you shouldn't.  I didn't realize Ex2010 was supporte din the DMZ, I mostly deal with SBS.  did you migrate the server before you had the PIX in?  If so you may have to make some adjustments in exchange

Author Comment

ID: 37777530
pix been in foy years - i just installed ex10 on internal lan

tmg rules for Activesync and webmail to ex10 not working errror 401

isa2006 to asynch and webmail to ex07 mailboxes is fine

i have both ex07 with isa2006 and ex10 with tmg 2010 - the latter not working

Expert Comment

ID: 37804764
First of all, you have 2 option.

Either to NAT a public IP into the private IP of your Ex2010 server and just open ports 25, 80 and 443 (that is the easiest solution).

Or the second option: to publish all Exchange services trough the TMG.

If you choose the second option, Exchange server is not NAT'ed, it just have an internal IP. What you basically do, is that you NAT (publish) all the Exchange services on the TMG (which has 2 nics, 1 in DMZ and 1 on the internal network).

A simple walktrough of TMG and Exchange is here:

Accepted Solution

philb19 earned 0 total points
ID: 37804802
ive sorted this out - using tmg rule - i didnt have cas internet facing url specified correctly on the exch server

Author Closing Comment

ID: 38142557
fixed myself

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question