Exchangepedia Blog is read by visitors from all 50 US States and 150 countries world-wide
Where should you locate Exchange Server 2007 servers with the Client Access Server (CAS) role? Is it more secure to locate them in perimeter network (aka "DMZ")?
Security folks in many organizations insist that any server that needs to be accessed from external networks (i.e. the internet) should reside in perimeter networks. Locating Exchange Server 2003/2000 Front-End servers in the perimeter - though generally not recommended - was not very uncommon. It did require opening a number of ports from the perimeter to DCs/GCs and Back-End servers on the internal network, the common joke being it makes your firewall look like swiss cheese.
Nevertheless, it worked, and Microsoft provided deployment guidance, including firewall configuration details [read "Configuring an Intranet Firewall" in FE/BE Topology Guide], to make this work.
With Exchange Server 2007, Microsoft does not support locating CAS servers in perimeter networks. This is stated in Exchange Server 2007 documentation - "Planning for Client Access Servers", and many other docs as well.
CAS servers can be published to the internet using application-aware or application-layer firewalls and devices, like Microsoft's ISA Server, or SSL VPNs. One of my favorite implementations used Whale Communications' eGap appliance along with RSA's Authentication Manager - then known as ACE Server, and SecurID tokens (incidentally, Microsoft acquired Whale Communications last year. Hopefully some of Whale's savvy technology will show up in a future version of ISA or some special version of an ISA appliance).
Security folks in many organizations insist that any server that needs to be accessed from external networks (i.e. the internet) should reside in perimeter networks. Locating Exchange Server 2003/2000 Front-End servers in the perimeter - though generally not recommended - was not very uncommon. It did require opening a number of ports from the perimeter to DCs/GCs and Back-End servers on the internal network, the common joke being it makes your firewall look like swiss cheese.
Nevertheless, it worked, and Microsoft provided deployment guidance, including firewall configuration details [read "Configuring an Intranet Firewall" in FE/BE Topology Guide], to make this work.
With Exchange Server 2007, Microsoft does not support locating CAS servers in perimeter networks. This is stated in Exchange Server 2007 documentation - "Planning for Client Access Servers", and many other docs as well.
CAS servers can be published to the internet using application-aware or application-layer firewalls and devices, like Microsoft's ISA Server, or SSL VPNs. One of my favorite implementations used Whale Communications' eGap appliance along with RSA's Authentication Manager - then known as ACE Server, and SecurID tokens (incidentally, Microsoft acquired Whale Communications last year. Hopefully some of Whale's savvy technology will show up in a future version of ISA or some special version of an ISA appliance).
Labels: Exchange Server 2007, Security
1 Comments:
what to do if we have one server with all roles (Mailbox, CAS and HubTransport). Should we open 443 directly to Exchange server or is there any other alternate available?
Post a Comment
Links to this post:
Create a Link
<< Home