OWA, ISA and multiple CAS
Hi all, I'm currently putting together a design/plan to implement ISA 2006 into our existing Exchange 2003/2007 environment. Details are below: Our domain uses a single namespace (I know what you're thinking...) and as such we have moved almost all of our infrastructure to a sub domain. Root domain: test.com.au Sub domain: sub.test.com.au DC's - Windows 2008 R2 - Windows 2008 Exchange 2007 (resides in sub domain) - 2x Mailbox servers (cluster) - 2x CAS/HT Exchange 2003 (resides in root domain) - 1x Mailbox server (standalone) - will be decommissioned very soon Exchange 2007 servers - exchmbx1 - exchmbx2 - exchcas1 - exchcas2 - exchcluster (cluster name) Exchange 2003 servers - exchold1 Firewall - clustered Cisco ASA 5520 firewall Other Info - Cisco ACE load balancer - load balances only HTTP/HTTPS traffic at this stage (internal) After a fair bit of research, I understand that the best method for publishing OWA, ActiveSync etc... for our environment is by implementing Microsoft ISA Firewall into our DMZ. In our case, it becomes a little confusing with the addition of our subdomain. How do I incorporate both client access servers (CA) into the equation? In particular, SSL certificates. Ideally, the only address I want accessed from the outside is https://owa.test.com.au. How is this going to work when I have a subdomain and 2x CAS that reside in it? Also, what is your opinion on using an internal certificate authority for this? This will only be used for around 50-100 users. Thanks in advanced. Andrew.
March 12th, 2010 7:57am
The fact you can have subject alternative names on certificates should help with the single certificate. Internal Authority is not an issue.
Free Windows Admin Tool Kit Click here and download it now
March 13th, 2010 2:10am
Bit dissapointed with the lack of response to this post. Perhaps I should have posted to a different form, perhaps ISA. For those interested, I will proceed with the following setup:- Single NIC ISA 2006 server in DMZ- Traffic will not bypass our Cisco Firewall but go back through it to the internal- Open ports 80, 443 from the Outside to the ISA server (port 80 so I can redirect to port 443)- Open ports 443 from our ISA server to our 2x CAS servers- Open ports 3268 from the ISA server to our GC servers- Purchase a 3rd party SSL certificate from Digicert (Unified Communications Certificate) with the following alternative names: owa.test.com.au exchcas1.sub.test.com.au exchcas2.sub.test.com.au exchcas1 exchcas2 autodiscover.test.com.au- Install certificate on ISA and the 2x CAS servers
March 17th, 2010 6:44am
If you're going to have only one ISA (or TMG) server in your
DMZ and two CAS role servers in your intranet, then you would configure a server
farm in the ISA server that includes the two CAS servers. You'd install
the external certificate on the ISA server's listener. The ISA will
load-balance the traffic to the two CAS role servers.
I prefer to use public certificates only on the ISA server, so
you might consider building an enterprise CA that is Active Directory-integrated
for your internal certificates. It's basically free with the Windows
license, you have control of it, and the root certificate is pushed out to all
domain clients automatically.
-- Ed Crowley MVP"There are seldom good technological solutions to
behavioral problems.".
"andrew_morine" wrote in message news:ea5c258d-31cc-400f-9058-fe9518c32a36...Hi
all,I'm currently putting together a design/plan to implement ISA 2006
into our existing Exchange 2003/2007 environment. Details are
below:Our domain uses a single namespace (I know what you're
thinking...) and as such we have moved almost all of our infrastructure to a
sub domain.Root domain: test.com.auSub domain:
sub.test.com.auDC's- Windows 2008 R2- Windows
2008Exchange 2007 (resides in sub domain)- 2x Mailbox servers
(cluster)- 2x CAS/HTExchange 2003 (resides in root domain)- 1x
Mailbox server (standalone)- will be decommissioned very
soonExchange 2007 servers- exchmbx1- exchmbx2-
exchcas1- exchcas2- exchcluster (cluster name)Exchange 2003
servers- exchold1Firewall- clustered Cisco ASA 5520
firewallOther Info- Cisco ACE load balancer - load balances only
HTTP/HTTPS traffic at this stage (internal)After a fair bit of
research, I understand that the best method for publishing OWA, ActiveSync
etc... for our environment is by implementing Microsoft ISA Firewall into our
DMZ. In our case, it becomes a little confusing with the addition of our
subdomain. How do I incorporate both client access servers (CA) into
the equation? In particular, SSL certificates. Ideally, the only address
I want accessed from the outside is https://owa.test.com.au. How is this going
to work when I have a subdomain and 2x CAS that reside in it?
Also, what is your opinion on using an internal certificate authority
for this? This will only be used for around 50-100 users.Thanks in
advanced.Andrew.
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
March 17th, 2010 9:55pm