Exchange 2013 CAS to add

I have Exchange 2013 All the  roles  in one server 2012R2.  CAS part on  this server is not available from the WAN, we must VPN  to use it.
We are in  need of having ActiveSync withour VPN. So Adding a CAS role make sense and NAT that for the WAN access.
What I need to know is, should CAS be on DMZ, or on LAN?  MS said DMZ not supported ... I have no need for L4  LoadBalancer  as I have one server, so pointless to balance 1 server.

 1 How to deploy Active Sync without LB and not directly on the LAN?
2 What's the proper deployment step in this scenario. Do I have to remove CAS role from the "All In One" box ?

thoughts ?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
This is pretty straightforward....

You already have all of the roles on the Exchange Server (which is recommended). All you need to do is NAT your public IP to your Exchange server and only allow 443 communication. If you have a smart host then that will pass the email to the Exchange server on port 25.

Do NOT put your Exchagne server in the DMZ. Leave all of the roles on a single server. As it is a standalone server a load balancer is not required.

Make sure that your External URL for Activesync is set using the external FQDN.

Once you have done that you can use to test your activesync connectivity externally.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mmivanAuthor Commented:
Will, Let me clarify.  Once upon a time, we had what you are suggesting.   WAN--> NAT --> EX on lan.  Lacking security in my opinion.

Now I'd like additional layer of security.
I'd like to make it more secured and flexible (resilient) by adding another CAS.

And I believe it is not recommended by MS to have all in one. Where did you see that MS recommends what I had above ? WAN--> NAT --> EX on lan.  
It would be easy if I had  TMG,  or ISA to  proxy the EX services (ActiveSync, OWA, WebApp etc), but  this is no longer recommended by MS (since EX 2010), and CAS  is not recommended to be on  DMZ .
Will SzymkowskiSenior Solution ArchitectCommented:
And I believe it is not recommended by MS to have all in one.

I am referring to all of the Exchange roles on one server. This is the recommended setup. The below link outlines the "preferred architecture" for Exchange. Look under Servers as it will outline that multi-role servers are a best practice.

And how is NAT-ing SSL through your firewall not secure for OWA and or ActiveSync? Please elaborate on this.

mmivanAuthor Commented:
Correct, recommended set up for more than one server (and we have just one)

I did not say NAT with SSL is not secure, I said lacking security.

WAN-> DMZ->LAN or WAN-> LB->LAN  is way better than WAN->LAN
another hop between.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.