Client Access Server, DMZ or no?
I have an Exchange 2003 server and a front-end server (living in DMZ) for owa and connecting outlook with rpc over https. I'm moving to exchange 2007 soon and would like the same config. But with exchange 2007 it would now be a client access server basically taking the role of the front-end server I have now. Should exch07's CAS be in a DMZ or not as I'm having a hard time weighing pro's / con's for each. I don't need an edge server as I have an ironport box taking that role and that is already in DMZ.
August 12th, 2007 7:06am
You should not have either a CAS or a FE server in DMZ.
as you probably know you must open manyports on your Firewall toget things working.
having the FE in DMZ is a very oldrecomendations when Exchange 2000 was new. This hasnot been recommended for several years.
The recommended way of doing this is to out a reverseproxy in DMZ, prefferable ISA server, this will get you a much more secure setup.
Edge server is optional, but if you have one the recommended place is in DMZ. You already have Ironport doing the same thing that Edge would have done.
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2007 11:08am
Thanks, yea I initially setup with exch 2000 and yes you are right there are more ports than I'd like open. Are there any links to setting up the reverseproxy you mentioned in the dmz? Or is it really not needed as I'll just have 443 open to the CAS server? Thanks for all the info.
August 13th, 2007 12:47am
how many ports you need to open from ISA/reverseproxy to CAS depends on there's configuration.
TCP port 443 gives you a fully functional OWA, but no preauthentication.
this doc describes what you need to to.
http://www.microsoft.com/technet/isa/2006/deployment/exchange.mspx
it also discusses more advanced configuration of ISA.
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2007 10:18pm