http://www.msexchange.org -------------------------------------------------------Very true. ISA is one of my options but i will have to procure it. :-) With my current architecture, i thought of Natting public IP with the IP of CAS. Is this something that can be worked upon? or is there anything else that is missed out as a solution? --- i understand, NATting brings complexity and is not upto the mark solution, but i am short of options here. --- :-( -- RD On Wed, Jul 20, 2011 at 1:16 AM, Rick Boza <rickb@xxxxxxxxxxxxxxx> wrote: > http://blogs.msdn.com/b/brad_hughes/archive/2008/05/05/how-not-to-deploy-cl > ient-access-servers.aspx > > The hitch seems to be people can't figure out the communications > requirements (meaning - swiss cheesing the firewalls). > > Not that I think it's a good idea mind you, but I am surprised MSFT would > take so harsh a stance. In the past unsupported had nothing to do with > what ports needed to be opened, or whether something was a good idea, but > rather whether it was technically possible and supportable. > > Back to the original question: the best answer is probably an > applicatio-later firewall or appliance (MSFT of course recommends ISA). > > On 7/19/11 3:39 PM, "Rick Boza" <rickb@xxxxxxxxxxxxxxx> wrote: > >>So, can you provide a link where Microsoft says separating the CAS server >>via firewall (which is what you're doing when you place it in a DMZ) is >>unsupported, and cannot be done? >> >>I don't recall ever seeing that. >> >>Thanks, >> >>Rick >> >>On 7/19/11 3:31 PM, "Milind Naphade" <milind.naphade@xxxxxxxxx> wrote: >> >>>http://www.msexchange.org >>>-------------------------------------------------------Ravi, >>> >>>First thing.. You cannot put the CAS servers DMZ. That is an unsupported >>>configuration. Microsoft already has a white paper published for securing >>>client access servers here >>>http://technet.microsoft.com/en-us/library/bb400932%28EXCHG.80%29.aspx >>>and >>>http://technet.microsoft.com/en-us/library/bb400932.aspx This should also >>>help, >>>http://www.msexchange.org/articles_tutorials/exchange-server-2007/securit >>>y >>>-m >>>essage-hygiene/hardening-exchange-server-2007-part1.html >>> >>>If you want another layer of security for securing your CAS >>>infrastructure >>>on internet, then there are some third party options available in market. >>>I >>>do not recommend anything but I have seen RSA being used as 2FA for most >>>of >>>the companies. >>> >>>Regards, >>>Milind >>> >>>-----Original Message----- >>>From: exchangelist-bounce@xxxxxxxxxxxxx >>>[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Ravi Dogra >>>Sent: 20 July 2011 0:28 >>>To: exchangelist@xxxxxxxxxxxxx >>>Subject: [ExchangeList] Exchange Secure OWA and Active Sync - DMZ >>>Architecture >>> >>>http://www.msexchange.org >>>-------------------------------------------------------Hello, >>> >>>I am looking to make OWA and Active Sync available in most secured way. >>>here >>>is my current network architectur:- >>> >>>CCR mailbox cluster >>>HUB+CAS (installed on same node) >>> >>>We have single firewall and have two segregated networks (say >>>'production' >>>and 'internet'). I intend to configure something like frontend server so >>>that OWA and Active Sync services can be made available. >>> >>>I am not sure what solution will be best considering security aspect. >>> >>>Please suggest. >>> >>>-- >>>RD >>>------------------------------------------------------- >>>List Archives: //www.freelists.org/archives/exchangelist/ >>>MSExchange Newsletter: http://www.msexchange.org/pages/newsletter.asp >>>MSExchange Articles and Tutorials: >>>http://www.msexchange.org/articles_tutorials/ >>>MSExchange Blogs: http://blogs.msexchange.org/ >>>------------------------------------------------------- >>>Visit TechGenix.com for more information about our other sites: >>>http://www.techgenix.com >>>------------------------------------------------------- >>>To unsubscribe visit http://www.msexchange.org/pages/exchangelist.asp >>>Report abuse to listadmin@xxxxxxxxxxxxxx >>> >>> >>>------------------------------------------------------- >>>List Archives: //www.freelists.org/archives/exchangelist/ >>>MSExchange Newsletter: http://www.msexchange.org/pages/newsletter.asp >>>MSExchange Articles and Tutorials: >>>http://www.msexchange.org/articles_tutorials/ >>>MSExchange Blogs: http://blogs.msexchange.org/ >>>------------------------------------------------------- >>>Visit TechGenix.com for more information about our other sites: >>>http://www.techgenix.com >>>------------------------------------------------------- >>>To unsubscribe visit http://www.msexchange.org/pages/exchangelist.asp >>>Report abuse to listadmin@xxxxxxxxxxxxxx >>> >>> >> > > -- Ravi Dogra 9899647200 ------------------------------------------------------- List Archives: //www.freelists.org/archives/exchangelist/ MSExchange Newsletter: http://www.msexchange.org/pages/newsletter.asp MSExchange Articles and Tutorials: http://www.msexchange.org/articles_tutorials/ MSExchange Blogs: http://blogs.msexchange.org/ ------------------------------------------------------- Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------- To unsubscribe visit http://www.msexchange.org/pages/exchangelist.asp Report abuse to listadmin@xxxxxxxxxxxxxx