Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Exchange 2010 with TMG using RODC in DMZ

Posted on 2013-05-12
Medium Priority
Last Modified: 2013-10-18
In our previous environment we had an Exchange 2003 dual server configuration with the Front end in a DMZ (provided by a hardware firewall) and the back end in our internal LAN, running on a windows 2003 R2 domain.  We have now rolled out a single server Exchange 2010 environment with Windows 2008 R2 domain level and have a TMG 2010 server awaiting deployment as the Exchange "front end".  Our environment has changed somewhat in the last few months - since upgrading to 2008 domain level we have deployed an RODC in the DMZ and have a number of servers connecting to it providing various services (IIS etc); which leads me to the question!

What would be the best configuration for me to use to present the exchange services through the TMG for the outside and inside access?  The TMG server needs to sit in the DMZ, and i would think now the best option would be to join it to the domain using the RODC server, or would it be best to set the TMG up as a secondary RODC Server?  We currently provide OWA, Outlook Anywhere and limited IMAP services to exchange; SMTP is locked down to only allow connections from our third party spam/av provider so unsure if i would need to direct that through the TMG as well or just leave SMTP pointing directly at the Exchange server?
Finally - would i be best using a single NIC setup or a dual NIC configuration, with one in the DMZ and one directly to the internal LAN?
Question by:Amaze_IT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 16

Expert Comment

by:Bruno PACI
ID: 39161031

In my opinion, from a "security" point of view, the best option is to leave the TMG out of a domain, as a standalone server in the DMZ.
TMG doesn't need to be a member of a domain. You can publish internal services (like OWA) with authentication using LDAP authentication or RADIUS authentication.

In my own opinion, a DMZ should never contain a DC of an internal domain. You can create an Active Directory domain for the DMZ safely but having some DCs of your internal domain in the DMZ is not secure.

Servers in a DMZ might be hacked control of them can be taken by an external attacker... well... at least you should always think about this possibility.
In my opinion, as soon as you consider that a server in a DMZ can be controlled by an external attacker then you must consider that ALL the servers in this DMZ are also controlled, because inside the DMZ there is no firewalls between servers.

That's why having a DC of the domain inside the DMZ is not secure, even if it's a RODC.
RODC are useful in case of server robbery... In that case, you are aware that the server has been lost and you have to change passwords of each stolen account.
In a DMZ, you won't be aware that an attacker has took control of your server, so you won't have time to change passwords or disable accounts before the attacker find a way to use informations stored in the RODC...

OK. That's my opinion: no DC in the DMZ, and TMG is not a member of a domain...

If your NEED TMG to be a member of an AD domain, it's less secure but it can be considered as secured enough for your situation. But personnally I would make things so that ALL DCs are on the LAN and no DCs are in the DMZ. You'll have to open TCP ports so that TMG can reach its controllers.

What you must NEVER do is to install RODC and TMG on the same machine !!! NEVER !!!!!!!!!!
You must always consider that TMG is a target for attackers. These attackers must not find ANY information on the TMG that can be useful to go forward and attack deeper in your network.

About SMTP, as you have a av/spam partner that acts as a SMTP relay for your incoming mails, redirecting e-mail through TMG won't bring any security...

Finally, as your TMG server is already inside a DMZ you don't need TMG to act as a firewall so a unique NIC is enough for your  situation.

Have a nice day.
LVL 37

Accepted Solution

Jian An Lim earned 2000 total points
ID: 39163207
Let's start with business sense

Do you really worry about having a DMZ? do you have a security compliance to do so? what is your size, and what industries you are in?

and given TMG is end of life, do you plan to replace the product in a few years down the road?

then next topic is security related.

since you have your email flow directly out from your internal network to the internet, therefore what your DMZ design usage? inbound purpose? or just because you want to do a like-to-like exchange 2003 front end replace with TMG?

usually there is some guideline says that no direct access from internet to internal network without passing DMZ.  do you uphold them?

RODC in DMZ is really a security question on how much your DC expose. while it offers flexibility.


So to answer all your question in a straight forward manner,

1. TMG and RODC is supported. (question is do you want to, like do yo uhave a seperate IT team to run different component, will it offers complexity on RODC with TMG? remember EOL on TMG means lesser experts in some future.)

2.  whether to repoint those services to TMG or not, as discussed earlier, it is up to what you want to achieve. If you uphold the "no direct connection should allow between internal and internet", then you should push all traffic to TMG so you know that is your entry door to your network. But if you have "it is not broken why fix" rule, then it is OK to allow direct connection.

3. single NIC or dual NIC. personally i will go with dual NIC.
this is more up to the TMG design you have.
dual NIC offers a very clear direction on where is the traffic comes from, is this internal or external. Of course, if you have no such requirement, then you can go with single NIC

Author Comment

ID: 39167711
Thanks for the replies people!  to give a general response here - no there is no compliance to deal with as such; a while ago one of our clients requested that we removed all direct port 80 access into the internal network to prevent any possible exploits allowing direct connection to our systems.  This is common sense as far as I can see; I have always worked on the basis that a public facing site should ideally be isolated from the main network - unfortunately that wasn't the situation for various reasons.  For the same reason, we added a Front end to our Exchange 2003 server in the DMZ to prevent direct WWW external traffic onto an internal server.  (When I say direct access, I do mean through a hardware firewall with a translation rule in place to the internal IP address of the server).  Moving forward, We have established a DMZ on our network, and any public facing servers are being transferred into it (FTP, IIS etc).  For this reason, I was to use TMG for the Front end access for exchange 2010 instead of direct access to the server internally.

With regards to access; we are quite relaxed in what our internal staff have access to; their internet access is NATed directly through the hardware firewall to the internet, so the TMG will purely be used as a Web publishing front end - hence the single Nic setup.

To move on from this, I've actually implemented the server as a single NIC and managed to get it the OWA to publish through the TMG ok...but then run into the issue of not being able to use the same IP to register the second listener for the Outlook Anywhere/Activesync authentication; so the plan now is to have a separate IP for webmail and another for other services.  My plan is to direct all internal staff through DNS to the TMG for these services also to avoid the need for a second Virtual Site on the exchange server.
So - my next questions!  although people access the server using for all services currently, the server itself has a different name - but the internal and external URLs for the virtual folders all reference the address (although autodiscover is configured to look directly at My question is will i now need to change these to so internal is  I plan to use the address to push directly to the TMG internally and externally (I feel it will make things simpler not having to tell people to change the configuration of their phones/macs etc!) Is this approach likely to cause any issues, or would this be ok for what i am trying to achieve?
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 2000 total points
ID: 39171059
well, i won't see a big issues,
just that approach will generate unnecessary connection from client to TMG then back to CAs server.

i will make split DNS, i.e. we will have consistent internal or external

the difference is the local dns should resolve locally, but when in external, then dns should point to the TMG.

this way, you will get simple design and not making your TMG the point of failure. (given if tmg failed, no one i.e. internal/external can access exchange?)

Author Comment

ID: 39171101
Thanks for the response - That is what I am thinking of doing; but doing it this way will require me to set up a secondary Virtual directory for internal clients will it not?

Essentially, what I was trying to do was make it so internal and external clients would access the TMG at, say - this would do the FBA and pass back to the CAS server.

I am also seeing massive problems with TMG being able to work at all - i can get to the FBA on webmail, and it is clearly authenticating the user, but then just hangs, and will not go any further.  If i connect directly to the CAS Server using the internal name, is works fine.  The TMG server is connected to an RODC in the DMZ, but would not have thought this would make any difference?
LVL 37

Expert Comment

by:Jian An Lim
ID: 39179747
what is the service pack of TMG (and hotfix) you are currently on?

I will do a troubleshooting about the system. at the moment, it could be anytime from hardware to configuration (harder to troubleshoot as I can't see your configuration without logging in). go through the list below and see whether it assist or not.

Given you know clearly, it is a TMG issue, you either need to work through it or skip it

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question