• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 661
  • Last Modified:

Exchange CAS 2010 - does it need to be internet facing - ie public IP

Im trying to figure what i do for A record in public DNS for autodiscover

public dns = company.com.au

internal = town.company.com.au

what IP do i use to match up autodiscover.company.com.au in my public DNS - i have all roles on 1 internal AD exchnage server. searching net tells me i put the "public facing" ip of the exchange server - I have not got 1?

Im trying to setup TMG active sync rule - TMG has one DMZ interface - its failing with unauthorized 401 - ive done the internal a record and srv record for autodiscover - but not external dns
1 Solution
philb19Author Commented:
i get green tick with test of tmg active synch rule - but error 401

phone test get invalid username password
Normally, you would create a NAT rule in your firewall pointing a public IP address to your CAS server, and use that public IP for your DNS entries.  What kind of firewall so you have?
philb19Author Commented:
ok thanks i have a pix 515

so nat what public ip - ? the public IP =

is it easier - or an option to put a cas ex10 srver in the dmz
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

You can put the CAS server in the DMZ, but you still have to NAT it.  How many public Ip addresses do you have?  have you ever assinged one to OWA>  If so use that one.  do you have PDM or are you relying on CLI do manage your firewall?
Records for exchange,
your ISP should give you an public ip that ties to the internal ip. Once this is done the company that hosts the public domain needs to create a records for autodiscover.domain.com, exchange.domain.com, ptr records, and (ISP will need create reverse dns records for public facing IP)  Then in the firewall you need to use NAT rule that ties to the public ip as "SuperTaco" suggested the allows internal workstations to talk to the public Ip/domain (exchange.domain.com)

Also you can run a test on exchange using http://testexchangeconnectivity.com/ 
Use http://mxtoolbox.com/ to check exchange.domain.com for PTR and Reverse DNS  for exchange.
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
Supertaco, having a CAS in the DMZ is not supported and it is not how it works in 2010.

Phil, you should point the autodiscover public A record to the firewall IP (PIX in your case) and then get PIX to forward port 443 traffic on that IP to the TMG server in DMZ (if you configure tmg fully).

If not, forward it to your CAS server internally.
philb19Author Commented:
thanks i use both pdm and cli

my big issue really - and im lost and tearing my hair out - is activesync and TMG rule
this was easy with isa2006 and ex7

now with ex10 - its one ex10 server - all roles  TMG in dmz - created the rule - i get a green tick but error 401 unauthorised and that error i get when i use MS connectivity tool - passes everyhting - but 401 on the end - im not even sure if autodiscover has anything to do with it - when i use the connectivity tool - i dont choose autodiscover and it still fails - when i manual in the username and password - if you can help me to get this working id really appreciate it - its not SAN cert related as those tests all pass

as i say with ex07 i never had the cas role in dmz - so why should i do that with ex10 - thanks
philb19Author Commented:
" Phil, you should point the autodiscover public A record to the firewall IP (PIX in your case) and then get PIX to forward port 443 traffic on that IP to the TMG server in DMZ (if you configure tmg fully).

THANKS - is this why activesync rule is failing? - because of autodiscover - im not sure how the 2 relate TMG and autodiscover? does the active sync fail without autodiscover in public DNS? this wasnt needed with ex07?

when you say firewall IP - i have 12 public IP's in DMZ  (TMG server 1 of these)- do you mean a particular 1? - the outside interface of PIX? - fi have other service that use 443 citrix and webmail on ex07 - im afraid of breaking them (they dont use tmg) so i dont want to be forwarding all 443 to tmg - or am i misunderstanding - thanks for help
As previously mentioned (not by me) you shouldn't.  I didn't realize Ex2010 was supporte din the DMZ, I mostly deal with SBS.  did you migrate the server before you had the PIX in?  If so you may have to make some adjustments in exchange
philb19Author Commented:
pix been in foy years - i just installed ex10 on internal lan

tmg rules for Activesync and webmail to ex10 not working errror 401

isa2006 to asynch and webmail to ex07 mailboxes is fine

i have both ex07 with isa2006 and ex10 with tmg 2010 - the latter not working
First of all, you have 2 option.

Either to NAT a public IP into the private IP of your Ex2010 server and just open ports 25, 80 and 443 (that is the easiest solution).

Or the second option: to publish all Exchange services trough the TMG.

If you choose the second option, Exchange server is not NAT'ed, it just have an internal IP. What you basically do, is that you NAT (publish) all the Exchange services on the TMG (which has 2 nics, 1 in DMZ and 1 on the internal network).

A simple walktrough of TMG and Exchange is here: http://exchangemaster.wordpress.com/2010/04/09/publish-exchange-2010-with-tmg-forefront-threat-management-gateway/
philb19Author Commented:
ive sorted this out - using tmg rule - i didnt have cas internet facing url specified correctly on the exch server
philb19Author Commented:
fixed myself
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now