CAS server role in our DMZ?
We are about to deploy Exchange server 2007 as a direct migration from Exchange 2003 in Native mode.
Currently we have our Front-End server in our DMZ and we want to do a direct replacement of our Front-End 2003 server with an Exchange 2007 CAS role server. We have no need for any Edge Transport servers as we outsource our mail protection.
Do we also need the CAS role installed on our Exchange servers inside our network? We plan on having4 Exchange servers in 4 of our 87 sites (2 big ones and 2 smaller Exchange servers).
Has anyone else out there deployed their CAS servers in a DMZ?
Has anyone else out there deployed their CAS servers only in a DMZ and none internally?
Does the CAS role provide the three features we use Front-End for;
OWA (yes),
RPC-HTTPS (it is not mentioned at http://msexchangeteam.com/archive/2006/09/12/428880.aspx),
Mail relay (or would that be just IIS SMTP, secured between our HT and outsourcedspam protection)
Thanks for your advice & links
July 10th, 2008 7:47am
Hi Chris,
You can put it in DMZ but at your own cost, risk and support because it is not tested, supported & recommendedby Microsoft in any case and it is not designed to put in DMZ
In Exchange 2007, you can publish CAS using application-aware or application-layer firewall/SSL VPN like ISA Server. Here is the procedure to do so
Publishing Exchange Client Access with ISA 2006 - The Complete Solution
Here are some of the documents which explain you why CAS not in DMZ
CAS In DMZ Redux: Time For an OWA Appliance?
Maintaining ActiveSync access to Exchange 2003 mailboxes after deployment of Exchange Server 2007 CAS role- See comment session
Planning guide for your CAS deployment
Planning for Client Access Servers
BTW, Outlook Anywhere is formally known as RPC over HTTP.
CAS is not designed for mail routing, for that you need to useHub/Edge Transport Server.
Free Windows Admin Tool Kit Click here and download it now
July 10th, 2008 4:25pm
Hi Amit,I was wondering if there was any chance MS would support a CAS outside in the DMZ to handle the SSL through to OWA if there was an inside CAS server as well.We dont want to go the route of the ISA sever, and have looked at a couple other proxy solutions, but I keep getting asked about putting 2 CAS servers in place, one in the DMZ and the one inside.Would this be supported or even recommended, everything I can find says no, but need something more concrete around here... ;)Thanks alot!Ivan Morrison
April 6th, 2009 5:15pm
See here for more detail on Microsoft's support stance on CAS & DMZhttp://blogs.msdn.com/brad_hughes/archive/2008/05/05/how-not-to-deploy-client-access-servers.aspxMike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2009 7:06pm