NBF
asked on
How to configure network design for TMG vm publishing exchange web services?
I would like to publish all of exchange web services(autodiscover, owa, outlook anywhere, activesync) to the internet. -NOT SMTP that is handled seperately from our filtering service.
We currently have an exchange 2010 single server environment with HT,CAS,MBX installed.
Can I create a TMG2010 VM with a SINGLE virtual NIC joined to the domain on my internal network to handle publishing of Exchange Web Services? Would I just punch holes in the cisco asa firewall and create a NAT on the cisco ASA for HTTP and HTTPS to redirect from external IP for mail.domain.com to the internet IP of the single NIC TMG or is this configuration unsupported or unsecure?
I am trying to avoid have 2 nics on the TMG since the TMG will be a vmware esxi5 and it will be much easier to configure the TMG VM with a single NIC on a single network. It APPEARS(I could be wrong) that I only need a single NIC on the internal network to publish exchange but I wanted to get more feedback in case I am misunderstanding something.
Looking at this link it appears this is a supported configuration but I want to make sure I am not missing anything and I didn't see autodiscover listed: http://technet.microsoft.com/en-us/library/cc995236.aspx
You can publish Web servers and Outlook Web Access servers over HTTP or HTTPS. You can authenticate incoming requests and chain requests to upstream proxies. When you publish Outlook Web Access on a single network adapter computer, the following Outlook Web Access features are available:
Standard Outlook Web Access features such as sending and receiving e-mail, calendars, and other features
Exchange Outlook Mobile Access, ActiveSync, and Outlook RPC over HTTP
Forms-based authentication
We currently have an exchange 2010 single server environment with HT,CAS,MBX installed.
Can I create a TMG2010 VM with a SINGLE virtual NIC joined to the domain on my internal network to handle publishing of Exchange Web Services? Would I just punch holes in the cisco asa firewall and create a NAT on the cisco ASA for HTTP and HTTPS to redirect from external IP for mail.domain.com to the internet IP of the single NIC TMG or is this configuration unsupported or unsecure?
I am trying to avoid have 2 nics on the TMG since the TMG will be a vmware esxi5 and it will be much easier to configure the TMG VM with a single NIC on a single network. It APPEARS(I could be wrong) that I only need a single NIC on the internal network to publish exchange but I wanted to get more feedback in case I am misunderstanding something.
Looking at this link it appears this is a supported configuration but I want to make sure I am not missing anything and I didn't see autodiscover listed: http://technet.microsoft.com/en-us/library/cc995236.aspx
You can publish Web servers and Outlook Web Access servers over HTTP or HTTPS. You can authenticate incoming requests and chain requests to upstream proxies. When you publish Outlook Web Access on a single network adapter computer, the following Outlook Web Access features are available:
Standard Outlook Web Access features such as sending and receiving e-mail, calendars, and other features
Exchange Outlook Mobile Access, ActiveSync, and Outlook RPC over HTTP
Forms-based authentication
I agree with JJ, single NIC TMG is enoght for Exchange, just forward the ports from ASA to TMG.
Autodiscover is published via the Outlook Anywhere rule, if created.
All Exchange rules are Web Publishing rules.
Nevertheless I don't like single NIC TMG.
To use it as Web Proxy too or for other MS Products is not so far away, and some function doesn't really word with a single NIC TMG.
Autodiscover is published via the Outlook Anywhere rule, if created.
All Exchange rules are Web Publishing rules.
Nevertheless I don't like single NIC TMG.
To use it as Web Proxy too or for other MS Products is not so far away, and some function doesn't really word with a single NIC TMG.
ASKER
Thanks guys for your input! There will not be a possibility of using this for other services other than exchange.
Does the single NIC need to be on a DMZ segment or can it be on the internal production network with just the ports forwarded on the Cisco ASA?
Having 1 vNIC gives us the ability to vMotion this TMG VM around and also replicate it to our DR hot site which is on a different subnet. In DR situation I could fail over to that VM and make just a couple adjustments to the firewall rule port forwarding and the rules in TMG(since the IP address will change at DR site) and be back up and running. I like this simplistic approach. Having a complex vNIC design like dedicated pNICs or VLAN's etc would add a lot more work to this configuration and not allow us to fail over so easily to the DR site.
I will leave this question open for a few more days in case anyone else wants to add any input or disagrees. If no more comments I will accept your guys posts as solution. Thanks again for your input.
Does the single NIC need to be on a DMZ segment or can it be on the internal production network with just the ports forwarded on the Cisco ASA?
Having 1 vNIC gives us the ability to vMotion this TMG VM around and also replicate it to our DR hot site which is on a different subnet. In DR situation I could fail over to that VM and make just a couple adjustments to the firewall rule port forwarding and the rules in TMG(since the IP address will change at DR site) and be back up and running. I like this simplistic approach. Having a complex vNIC design like dedicated pNICs or VLAN's etc would add a lot more work to this configuration and not allow us to fail over so easily to the DR site.
I will leave this question open for a few more days in case anyone else wants to add any input or disagrees. If no more comments I will accept your guys posts as solution. Thanks again for your input.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, as long as you are only publishing web-based services, you only need a single NIC in TMG.
JJ