Locating Exchange Server 2007 CAS role in the perimeter?

by Bharat Suneja

Where should you locate Exchange Server 2007 servers with the Client Access Server (CAS) role? Is it more secure to locate them in perimeter network (aka “DMZ” or demilitarized zone)?

Security folks in many organizations insist that any server that needs to be accessed from external networks (i.e. the Internet) should reside in perimeter networks. Locating Exchange Server 2003/2000 Front-End servers in the perimeter – though generally not recommended – was not very uncommon. It did require opening a number of ports from the perimeter to Domain Controllers, Global Catalogs and Back-End servers on the internal network, it was commonly referred to as making your firewall look like swiss cheese by IT pros.

Nevertheless, it worked, and Microsoft provided deployment guidance, including firewall configuration details [read “Configuring an Intranet Firewall” in Front-End/Back-End Topology Guide], to make this work.

With Exchange 2007/2010, Microsoft does not support locating CAS in perimeter networks. This is stated in Exchange Server 2007 documentation – “Planning for Client Access Servers“, and many other docs as well.

CAS servers can be published to the Internet using application-aware or application-layer firewalls, reverse-proxies and devices, like Microsoft’s ISA Server, or SSL VPNs. One of my favorite implementations used Whale Communications‘ eGap appliance along with RSA’s Authentication Manager – then known as ACE Server, and RSA SecurID tokens .Incidentally, Microsoft acquired Whale Communications last year. Hopefully some of Whale’s savvy technology will show up in a future version of ISA or some special version of an ISA appliance).

{ 1 comment… read it below or add one }

Manoj July 3, 2007 at 11:27 pm

what to do if we have one server with all roles (Mailbox, CAS and HubTransport). Should we open 443 directly to Exchange server or is there any other alternate available?

Reply

Leave a Comment

Previous post:

Next post: