[isapros] Re: Exchange Server 2010 Edge and TMG 2010 Integration

• From: Tim Mullen <Thor@xxxxxxxxxxxxxxx>
• To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
• Date: Wed, 20 Jan 2010 17:37:01 +0000

Jim and I recently had a rather "spirited" conversation around this.  Hopefully 
we'll leave out things like "tin foil hat" this time :) (I had to Jim).

My general though is to start with security in depth and least privilege in 
mind.   As such, I begin the design of an Exchange Edge deployment with the 
mindset that I will not have them as domain members, but rather, simply 
stand-alone servers in a workgroup.   I guess my first question would be, what 
makes you think it is more complex and that it requires a more difficult 
configuration?

The role of the Exchange Edge is to accept SMTP mail for your domains, and 
presumably, to filter for spam and malware.  This only requires SMTP to the 
perimeter and nothing else.  If you choose to filter for recipient information, 
you can create an account for ADAM synchronization, however, I think you will 
find that the EE anti spam options are severely lacking in that respect - the 
logic is backwards; you can allow all main in TO someone, but not FROM someone, 
which totally defeats the purpose.  I doubt you will use the feature at all, 
which means that ADAM sync is not necessary.

Irrespective of that, the purpose of isolating the exchange edge box is to 
mitigate exposure should the server become compromised.  If you DO make it 
domain member, then that box will have stored credentials for administrative 
access available to an attacker, as well as the necessary traffic rules to your 
DNS and domain controllers to fully compromise your entire network.   My main 
rule in designing DMZ structures where there is anonymous access to the public 
for services (SMTP) is that "no credentials may live on that box which may be 
used on the internal network).  Making that box a domain member breaks that.

Now, that being said, am I to understand that you also wish to provide OWA, OA 
functionality via the Edge box?  If so, I don't see why - access to those 
services requires authentication, and can further be limited to certificates, 
so direct publication via TMG to your Exchange front end is acceptable.  The EE 
box should only be used for SMTP inspection.

Here's how I do it:

I begin with a 3 leg TMG box (UAG in my case):  Internal, External, and DMZ.  I 
publish SMTP (with the filter) to the DMZ to the Exchange Edge box.  It does 
it's thing.  I then smart-host deliver mail via another publishing rule to the 
internal Exchange box.  Yes, double publishing, with SMTP filter on both.

OWA/OA is directly published via 443 to my Exchange box.  The EE box is a stand 
alone server with different credentials.  It is managed via a one-way RDP rule. 
  If the EE box is compromised, the ONLY path to the internal network is via 
the SMTP publishing rule which is protected by the SMTP filter.  I have full 
management capabilities, there is no internal credential exposure, and there is 
only a single protocol inbound to my network.   To me, it is FAR more complex 
to securely publish and manage a domain member in the DMZ than a stand alone 
server, and increases the risk of exposure tremendously and really has little 
benefit.  GPO need only be applied once on a role-based server, and can easily 
be applied via template.

That's my buck o' five.

t

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jerry Young
Sent: Wednesday, January 20, 2010 9:01 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Exchange Server 2010 Edge and TMG 2010 Integration

I wanted to bounce a question off of the list regarding usage scenarios for 
integrating TMG 2010 with an Exchange 2010 Edge Server.  My goal is to also 
install Forefront for Exchange on the boxes, too.

My question, however, comes down to thoughts on domain membership and TMG 
utilization.

My current thought is to make the Exchange 2010 Edge Servers domain members, 
install TMG on both of them in an array, and then use that same TMG array to 
provide reverse proxy access to other resources (like OWA, OMA, OA, CWA, etc.) 
through publishing rules.

As in the past, the Exchange Product Group doesn't want the Edge Servers to be 
members of the forest in which the Exchange organization is hosted.  I ran 
across postings on the Internet that indicate this can be done but was 
wondering what the list has seen deployed so far to date.

While I could certainly dump the Edge Servers into their own perimeter network, 
that would require additional complexity, planning, and configuration for my 
client that they would like to avoid; they accept the risks presented by having 
the Edge Servers be domain members with the condition that TMG is used to 
mitigate those risks.

Thoughts?
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com<http://www.youngcss.com>

• References:
  • [isapros] Exchange Server 2010 Edge and TMG 2010 Integration
    • From: Jerry Young

Other related posts:

• » [isapros] Exchange Server 2010 Edge and TMG 2010 Integration- Jerry Young
• » [isapros] Re: Exchange Server 2010 Edge and TMG 2010 Integration - Tim Mullen

1. Home
2. isapros
3. Archive
4. 01-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---