I work as an architect\consultant with a lot of focus on Exchange 2010. When it comes to providing secure access to Exchange from the internet I use a reverse proxy like TMG\ISA. The benefits for me that TMG brings to the table in my opinion warrant the introduction of the product for the customer. I have been discussing my deployment architecture with my colleagues in the network\firewall team for a while now and I have been coming under some pressure that I am simply adding complexity for the customer’s by introducing a reverse proxy and the reverse proxy solves a problem that doesn’t really exist. The Exchange team states that OWA 2010 is secure by design so no need to harden IIS after installation. I am fully aware of the benefits that a TMG solution brings to Exchange with pre-authentication, terminating anonymous inbound internet connections outside the LAN, securing IIS paths etc. Assuming that best practice is adhered to in the form of patching OS, not running anything else on IIS etc., does anyone know if there is there any inherent security risk by redirecting port 443 from the firewall to the CAS server? Secunia Advisories on Exchange 2010 state no vulnerabilities and IIS 7 state none once fully patched. Exchange 2010 http://secunia.com/advisories/product/28234/ IIS 7 http://secunia.com/advisories/product/17543/

Plenty of my customers do that. Plenty use ISA or TMG. One customer is a firewall vendor so they use their own reverse proxy.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Ed Thanks for the reply although it doesnt answer my question. I am aware that people use the access methods described. I was looking for a discussion from the community on the merits of a reverse proxy if Exchange is already secure by design

You'll probably get a better response to that in a security forum, then. The security guys are the ones who have real technical opinions on the value of web publishing. As I tried to say earlier, plenty of my customers pass web traffic straight to the server and I don't know of any problems there if they're diligent about keeping their servers patched. I do think that those who use ISA or TMG sleep a little better at night, though, and I would prefer to see an ISA/TMG configuration installed.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

It seems you have already mentioned a lot of merits in TMG J, “pre-authentication, terminating anonymous inbound internet connections outside the LAN, securing IIS paths” The article below has listed the features and benefits, not sure if you have seen it TMG: Features

We are using Linux (CentOS) and Apache mod proxy and it has worked fine for us. We use it for external OWA, ActiveSync and BES proxy'ing. Never once had a problem with it, and it allows us to use a wildcard cert on it instead of buying an expensive SAN certificate with tons of SAN's on it from a Trusted Certificate provider. Also, there are fewer patches and not a monthly patch cycle we have to coordinate downtime for. We run it on a VM too, with 1 vCPU and 1 gig of ram. But if you dont have VMWare or any sort of Virtual environment, you can use an old castaway server. It's not resource intensive at all. ISA is a pretty expensive solution when there are free products that work just fine.