[ExchangeList] Re: Exchange Secure OWA and Active Sync - DMZ Architecture

  • From: Ravi Dogra <dogra.ravi@xxxxxxxxx>
  • To: exchangelist@xxxxxxxxxxxxx
  • Date: Wed, 20 Jul 2011 01:51:46 +0530

http://www.msexchange.org
-------------------------------------------------------Very true.

ISA is one of my options but i will have to procure it. :-)

With my current architecture, i thought of Natting public IP with the IP of CAS.

Is this something that can be worked upon? or is there anything else
that is missed out as a solution?

--- i understand, NATting brings complexity and is not upto the mark
solution, but i am short of options here. --- :-(

--
RD


On Wed, Jul 20, 2011 at 1:16 AM, Rick Boza <rickb@xxxxxxxxxxxxxxx> wrote:
> http://blogs.msdn.com/b/brad_hughes/archive/2008/05/05/how-not-to-deploy-cl
> ient-access-servers.aspx
>
> The hitch seems to be people can't figure out the communications
> requirements (meaning - swiss cheesing the firewalls).
>
> Not that I think it's a good idea mind you, but I am surprised MSFT would
> take so harsh a stance.  In the past unsupported had nothing to do with
> what ports needed to be opened, or whether something was a good idea, but
> rather whether it was technically possible and supportable.
>
> Back to the original question: the best answer is probably an
> applicatio-later firewall or appliance (MSFT of course recommends ISA).
>
> On 7/19/11 3:39 PM, "Rick Boza" <rickb@xxxxxxxxxxxxxxx> wrote:
>
>>So, can you provide a link where Microsoft says separating the CAS server
>>via firewall (which is what you're doing when you place it in a DMZ) is
>>unsupported, and cannot be done?
>>
>>I don't recall ever seeing that.
>>
>>Thanks,
>>
>>Rick
>>
>>On 7/19/11 3:31 PM, "Milind Naphade" <milind.naphade@xxxxxxxxx> wrote:
>>
>>>http://www.msexchange.org
>>>-------------------------------------------------------Ravi,
>>>
>>>First thing..  You cannot put the CAS servers DMZ. That is an unsupported
>>>configuration. Microsoft already has a white paper published for securing
>>>client access servers here
>>>http://technet.microsoft.com/en-us/library/bb400932%28EXCHG.80%29.aspx
>>>and
>>>http://technet.microsoft.com/en-us/library/bb400932.aspx This should also
>>>help,
>>>http://www.msexchange.org/articles_tutorials/exchange-server-2007/securit
>>>y
>>>-m
>>>essage-hygiene/hardening-exchange-server-2007-part1.html
>>>
>>>If you want another layer of security for securing your CAS
>>>infrastructure
>>>on internet, then there are some third party options available in market.
>>>I
>>>do not recommend anything but I have seen RSA being used as 2FA for most
>>>of
>>>the companies.
>>>
>>>Regards,
>>>Milind
>>>
>>>-----Original Message-----
>>>From: exchangelist-bounce@xxxxxxxxxxxxx
>>>[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Ravi Dogra
>>>Sent: 20 July 2011 0:28
>>>To: exchangelist@xxxxxxxxxxxxx
>>>Subject: [ExchangeList] Exchange Secure OWA and Active Sync - DMZ
>>>Architecture
>>>
>>>http://www.msexchange.org
>>>-------------------------------------------------------Hello,
>>>
>>>I am looking to make OWA and Active Sync available in most secured way.
>>>here
>>>is my current network architectur:-
>>>
>>>CCR mailbox cluster
>>>HUB+CAS (installed on same node)
>>>
>>>We have single firewall and have two segregated networks (say
>>>'production'
>>>and 'internet'). I intend to configure something like frontend server so
>>>that OWA and Active Sync services can be made available.
>>>
>>>I am not sure what solution will be best considering security aspect.
>>>
>>>Please suggest.
>>>
>>>--
>>>RD
>>>-------------------------------------------------------
>>>List Archives: http://www.freelists.org/archives/exchangelist/
>>>MSExchange Newsletter: http://www.msexchange.org/pages/newsletter.asp
>>>MSExchange Articles and Tutorials:
>>>http://www.msexchange.org/articles_tutorials/
>>>MSExchange Blogs: http://blogs.msexchange.org/
>>>-------------------------------------------------------
>>>Visit TechGenix.com for more information about our other sites:
>>>http://www.techgenix.com
>>>-------------------------------------------------------
>>>To unsubscribe visit http://www.msexchange.org/pages/exchangelist.asp
>>>Report abuse to listadmin@xxxxxxxxxxxxxx
>>>
>>>
>>>-------------------------------------------------------
>>>List Archives: http://www.freelists.org/archives/exchangelist/
>>>MSExchange Newsletter: http://www.msexchange.org/pages/newsletter.asp
>>>MSExchange Articles and Tutorials:
>>>http://www.msexchange.org/articles_tutorials/
>>>MSExchange Blogs: http://blogs.msexchange.org/
>>>-------------------------------------------------------
>>>Visit TechGenix.com for more information about our other sites:
>>>http://www.techgenix.com
>>>-------------------------------------------------------
>>>To unsubscribe visit http://www.msexchange.org/pages/exchangelist.asp
>>>Report abuse to listadmin@xxxxxxxxxxxxxx
>>>
>>>
>>
>
>



-- 
Ravi Dogra
9899647200
-------------------------------------------------------
List Archives: http://www.freelists.org/archives/exchangelist/
MSExchange Newsletter: http://www.msexchange.org/pages/newsletter.asp
MSExchange Articles and Tutorials: http://www.msexchange.org/articles_tutorials/
MSExchange Blogs: http://blogs.msexchange.org/
-------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
-------------------------------------------------------
To unsubscribe visit http://www.msexchange.org/pages/exchangelist.asp
Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts: