Exchange CAS 2010 - does it need to be internet facing - ie public IP

Im trying to figure what i do for A record in public DNS for autodiscover

public dns =

internal =

what IP do i use to match up in my public DNS - i have all roles on 1 internal AD exchnage server. searching net tells me i put the "public facing" ip of the exchange server - I have not got 1?

Im trying to setup TMG active sync rule - TMG has one DMZ interface - its failing with unauthorized 401 - ive done the internal a record and srv record for autodiscover - but not external dns
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

philb19Author Commented:
i get green tick with test of tmg active synch rule - but error 401

phone test get invalid username password
Normally, you would create a NAT rule in your firewall pointing a public IP address to your CAS server, and use that public IP for your DNS entries.  What kind of firewall so you have?
philb19Author Commented:
ok thanks i have a pix 515

so nat what public ip - ? the public IP =

is it easier - or an option to put a cas ex10 srver in the dmz
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

You can put the CAS server in the DMZ, but you still have to NAT it.  How many public Ip addresses do you have?  have you ever assinged one to OWA>  If so use that one.  do you have PDM or are you relying on CLI do manage your firewall?
Records for exchange,
your ISP should give you an public ip that ties to the internal ip. Once this is done the company that hosts the public domain needs to create a records for,, ptr records, and (ISP will need create reverse dns records for public facing IP)  Then in the firewall you need to use NAT rule that ties to the public ip as "SuperTaco" suggested the allows internal workstations to talk to the public Ip/domain (

Also you can run a test on exchange using 
Use to check for PTR and Reverse DNS  for exchange.
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
Supertaco, having a CAS in the DMZ is not supported and it is not how it works in 2010.

Phil, you should point the autodiscover public A record to the firewall IP (PIX in your case) and then get PIX to forward port 443 traffic on that IP to the TMG server in DMZ (if you configure tmg fully).

If not, forward it to your CAS server internally.
philb19Author Commented:
thanks i use both pdm and cli

my big issue really - and im lost and tearing my hair out - is activesync and TMG rule
this was easy with isa2006 and ex7

now with ex10 - its one ex10 server - all roles  TMG in dmz - created the rule - i get a green tick but error 401 unauthorised and that error i get when i use MS connectivity tool - passes everyhting - but 401 on the end - im not even sure if autodiscover has anything to do with it - when i use the connectivity tool - i dont choose autodiscover and it still fails - when i manual in the username and password - if you can help me to get this working id really appreciate it - its not SAN cert related as those tests all pass

as i say with ex07 i never had the cas role in dmz - so why should i do that with ex10 - thanks
philb19Author Commented:
" Phil, you should point the autodiscover public A record to the firewall IP (PIX in your case) and then get PIX to forward port 443 traffic on that IP to the TMG server in DMZ (if you configure tmg fully).

THANKS - is this why activesync rule is failing? - because of autodiscover - im not sure how the 2 relate TMG and autodiscover? does the active sync fail without autodiscover in public DNS? this wasnt needed with ex07?

when you say firewall IP - i have 12 public IP's in DMZ  (TMG server 1 of these)- do you mean a particular 1? - the outside interface of PIX? - fi have other service that use 443 citrix and webmail on ex07 - im afraid of breaking them (they dont use tmg) so i dont want to be forwarding all 443 to tmg - or am i misunderstanding - thanks for help
As previously mentioned (not by me) you shouldn't.  I didn't realize Ex2010 was supporte din the DMZ, I mostly deal with SBS.  did you migrate the server before you had the PIX in?  If so you may have to make some adjustments in exchange
philb19Author Commented:
pix been in foy years - i just installed ex10 on internal lan

tmg rules for Activesync and webmail to ex10 not working errror 401

isa2006 to asynch and webmail to ex07 mailboxes is fine

i have both ex07 with isa2006 and ex10 with tmg 2010 - the latter not working
First of all, you have 2 option.

Either to NAT a public IP into the private IP of your Ex2010 server and just open ports 25, 80 and 443 (that is the easiest solution).

Or the second option: to publish all Exchange services trough the TMG.

If you choose the second option, Exchange server is not NAT'ed, it just have an internal IP. What you basically do, is that you NAT (publish) all the Exchange services on the TMG (which has 2 nics, 1 in DMZ and 1 on the internal network).

A simple walktrough of TMG and Exchange is here:
philb19Author Commented:
ive sorted this out - using tmg rule - i didnt have cas internet facing url specified correctly on the exch server

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
philb19Author Commented:
fixed myself
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.