OWA in Exhcange 2010
Can I deploy a CAS server in my DMZ, open "some ports" to my Exchange 2010 Server and use this configuration like using a Front End OWA server in 2003?
Others have suggested the only way to deploy OWA is to use Forefront, I don't beleive this to be true.
Your thoughts on using CAS in the DMZ as a "front end" server for OWA?
October 26th, 2010 1:10pm
Hi,
Deploying CAS in a DMZ is not a good idea. The best options you have is using the TMG server or NAT the ports into a local address on the AD site facing the internet.
/MartinExchange is a passion not just a collaboration software.
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2010 1:36pm
Deploying the CAS in the DMZ is not supported by Microsoft. CAS must be placed on the internal network.
The typical route then is to publish the OWA service (and others such as ActiveSync, Outlook Anywhere, etc) via ISA, TMG or UAG.Principal Consultant, Silversands www.silversands.co.uk www.msexchange.org/neil_hobson
October 26th, 2010 2:30pm
Deploying the CAS in the DMZ is not supported by Microsoft.
While Microsoft will explain that ISA,TMG or UAG are much more than simple "firewalls", in the end all that is required is for the CAS to communicate with the Mail Box server, correct? So if I know the ports the CAS needs for communication, then I'm
in no worse off shape than I am now with OWA 2003 and the swiss cheese set of ports I had to open for it!
So the question is not if MS will support it, but rather, how is using a CAS and a DMZ different than "publishing" OWA through ISA?
I should point out that my goal is to avoid buying an ISA server and it's associated licensing costs.
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2010 3:17pm
By using ISA/TMG you authenticate the users before they get on your internal LAN.
To answer your other question as to having CAS in DMZ and MBX on the LAN. If you have the CAS in DMZ your need to open a list of ports as well, so you will be just as secure creating a NAT for port 443 to the CAS to your internal network.
/MartinExchange is a passion not just a collaboration software.
October 26th, 2010 3:24pm
Deploying the CAS in the DMZ is not supported by Microsoft.
While Microsoft will explain that ISA,TMG or UAG are much more than simple "firewalls", in the end all that is required is for the CAS to communicate with the Mail Box server, correct? So if I know the ports the CAS needs for communication, then I'm
in no worse off shape than I am now with OWA 2003 and the swiss cheese set of ports I had to open for it!
So the question is not if MS will support it, but rather, how is using a CAS and a DMZ different than "publishing" OWA through ISA?
I should point out that my goal is to avoid buying an ISA server and it's associated licensing costs.
It might be worth reading this:
http://blogs.msdn.com/b/brad_hughes/archive/2008/05/05/how-not-to-deploy-client-access-servers.aspx
Principal Consultant, Silversands | www.silversands.co.uk | www.msexchange.org/neil_hobson
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2010 3:37pm