Hi all, Due to how the network team here has configured out internet circuits, I am forced to put my Exchange 2007 SP3 CAS in our DMZ. I know this is bad. I have brought up the concerns of Sembee's blog and Brad Hughes blog and the official MS documents several times, but every time I am assured that our routing will not allow the CAS to function inside the DMZ. The additional wrinkle being that remote offices on my network cannot reach the DMZ internally, so I will have all kind of certificate problems with my Outlook clients if I try to use the external webmail name as my internal certificate. What I need to do is have a DMZ CAS to handle the OWA and ActiveSync connections, and an internal CAS to handle services and autodiscovery. Both of those CAS servers will have to be in the same active directory site, however the MS documentation (Understanding Proxying and Redirection) is written assuming the two CAS servers will be in different AD sites. Will I run into problems if I simply install another Exchange 2007 CAS server into my home office AD site and leave that CAS server on my LAN, while my current CAS server remains in the DMZ? The DMZ CAS will then have an external URL matching my third party SSL certificate and an internal URL of its own computer name. My LAN CAS would have an external $N$Null address and an internal address of its own computer name. Appreciate any insight!

I do understand it is not a supported configuration, but I don't have any choice. If I can't get this to work, I'm going to end up with Outlook 2007 certificate errors at all of my remote sites. I don't expect I'll have the resources to get TMG or Forefront and do any reverse proxying. The closest I might pull off is to put an Edge Transport server in the DMZ, but with a relatively new Barracuda smart host, I don't expect that's going to be a popular decision.