Exchange 2007 CAS and security
Hi allI understand that in Exchange 2007 the CAS (which is needed for OWA) must sit within the local network (not in a DMZ).What I dont understand is that if this is all sitting on the one box (the same one that also has the mail-stores) then isn't this a security risk since OWA is more likely to be compromised and hence the mail-stores can be compromised too?I thought the old setup of F/E and B/E with a couple of holes through the firewall was a better solution?
February 13th, 2008 1:05pm
Those old 'couple of holes' between FE and BE was enough to bring down any system.......six of one....
Free Windows Admin Tool Kit Click here and download it now
February 13th, 2008 7:47pm
Understood, but it still goes against the usual publically accessible services in the DMZ security thingo although I guess the reverse proxy helps.Even though its still in the local network, would having another CAS role seperate from the mailstores/CAS help tighten things?
February 14th, 2008 12:30am
Microsoft suggestion is to separate the roles for performance reasons. If you can actually secure traffic between CAS to CAS, other exchange roles, and AD, then you effectively can create the DMZ scenario. Then make the external URL point to that CAS farm.
Free Windows Admin Tool Kit Click here and download it now
February 18th, 2008 7:43am
I thought using ISA server 2006 as a 3-leg perimeter gateway would be secure enough to protect the HT-MB-CAS server ?
please correct me if I'm wrong.
February 19th, 2008 1:15am