I am an IT manager with a new startup and we're about to begin creating our domain in the development lab and then move them to production rather quickly.

We would like to use only server 2012 for our OS but I am having trouble finding ways to publish things like exchange 2013 (OWA and activesync) and multiple websites using only server 2012's UAG.

I know that it would be simple to go back to 2008 r2 for the firewall and use TMG sp3 or UAG (forefront) sp(1?) to get the job done but that seems like a step backward as it looks like both of those technologies are dead in the water.  I know microsoft didn't drop UAG but has incorporated a version of it into server 2012.

Is my best bet here to use a combination UAG (2012 built-in) and IIS to act as a reverse proxy/firewall and then place a third party firewall infront of that to limit ports (opening the server's and firewall's as needed).  This seems like a very messy and inefficient way to get the job done but does seem possible (although IDK how it will work with exchange needing so many special cases).

If you can point me in the right direction for either a third party firewall that will publish OWA and Activesync (and websites) while acting as reverse proxy for them I'd appreciate it.  If the response is an article on how to get that done with server 2012, even better.  I want to get this done properly from the start. 

For those of you who will tell me to search the forums and google, I have been since I heard TMG is being dropped and I've come up with TMG as the solution (with sp3) OR UAG with sp1 on server 2008 r2.  While I love R2, I know there has to be a way to do this.

I don't know about your other websites, but for OWA, ActivSync, OA, etc., port 443 may be enough (some people use 80 too and then redirect to 443) on the perimeter (3rd party) firewall.

The server firewall should set up ports automatically.

You might consider this replacement for TMG (if 3rd party is an option):

http://www.jaapwesselius.com/2013/05/19/kemp-edge-security-pack-endpoint-security-and-microsoft-tmg-qa-with-bhargav-shukla/

Hi

Any update on this issue?

Cheers

If you have any feedback on our support, please click here

So What I'm guessing is to place something like an ARR server behind a firewall (with another firewall between it and the OWA, ActiveSync, etc. and just having it forward 443 from autodiscover.site.com (or activesync.site.com, mail.site.com) to the appropriate server.  I can't really think of an easier way to do this without causing too much issue.  I know that we will have a static IP AND certificates for each of these so we should be good with

Internet -> Hardware firewall -> ARR -> Firewall -> CAS/OWA/AS/WEB Farm

Alternatively

Internet -> UAG (Server 2012)* w/ ARR -> Internal firewall -> CAS/OWA/AS/Web Farm

I realized this is a valid combination once I setup a test lab but I'm wondering if we even need an internal firewall at this stage (might get a hardware one).

*Server 2012 can act as a gateway with the UAG/Routing remote services service installed so if we shut down all of the ports to that we *should* have a secure system then use ARR on that.

I found this guide: http://www.direktorn.com/configure-iis-arr-as-a-reverse-proxy-replacement-for-tmg/

and it looks promising but I do thank you for your help as you reminded me that all of those *could* go over 443 with an ARR to do the proxy.