We're considering introducing Exchange 2010 ActiveSync into our environment. For one of the domains, we have 2 Exchange 2010 multirole servers running CAS, HUB, and Mailbox. We also run F5 load balancers.
For security reasons (and not performance), we're considering adding 2 dedicated CAS servers for ActiveSync. We would have 2 for redundancy. They would sit on the internal network. The F5 would sit on the DMZ and act as a reverse proxy.
My question: Is having dedicated CAS servers for ActiveSync more secure than running ActiveSync off the multirole servers? It seems like dedicated CAS servers would have a smaller attack surface.