Replacing the DMZ for Outlook Web Access to Exchange 2010 CAS
Posted on 2014-02-24
For the last few years I've been running clients on Exchange 2003 servers under Windows 2003, and for iphone, OWA and remote Outlook user access I've been using dedicated low-level servers that run a front-end RPC/HTTP Exchange server. The RPC/HTTP server was always in a DMZ, and the only port I allowed in to that DMZ was HTTPS. Between the RPC/HTTP server in the DMZ and the Exchange server and domain controllers on the LAN, I had approx. 20 ports open for protocols such as LDAP, DCE Endpoint, RPC Netlogon access etc. The goal of this setup was to minimize the threat of a hacker getting through to and controlling the OWA server, since even if this happened, they'd still be in the DMZ, and would not have full access to the LAN. Now looking at Exchange 2010, I am seeing that Microsoft specifically recommends against putting the CAS server in a DMZ. What is the best practice today for securing the CAS server with regards to OWA and Outlook Anywhere access via HTTPS? I've seen some references to a reverse proxy server on the DMZ which passes HTTPS through to the CAS server.
Appreciate your feedback and suggestions,