CAS In DMZ Redux: Time For an OWA Appliance?

by Bharat Suneja

The number of times I continue to field this question is amazing – Can the Client Access Server be located in the perimeter (DMZ) network? I wrote about it not too long ago [read previous post titled “Locating Exchange Server 2007 CAS role in the perimeter?“]. Exchange folks continue to get the standard requirement/mandate from security departments – an internal server (i.e. one located behind the internal firewall) cannot be made accessible from the internet. The security rule of thumb for long has been – if it needs to be accessed from the internet, it resides in the perimeter.

Exchange Server 2007 Client Access Server (CAS) role is not supported in the perimeter. In fact, the only role that’s supported and intended for the perimeter network is the Edge Transport server. Those new to Exchange Server 2007 cannot be blamed for contemplating the possibility of making the Edge Transport server “an OWA server”. It resides in the perimeter any way, so why not?

The Edge Transport server role does not co-exist with any other server role, and it’s typically not a member of your Active Directory domain. (You can locate it on the internal network if you wish, and you can install the Edge on a server that’s a member of your AD domain – but that’s not the intended purpose – Bharat).

The alternatives
a) You could open the necessary ports on your firewall(s) to make the CAS accessible from the internet. Yes, that’s a non-starter for most. The thought may seem scary, or you may run the risk of being laughed out of your job by the security folks.
b) Publish CAS using an application-aware or application-layer firewall/SSL VPN. Microsoft’s ISA Server does the job really well.

I’ve been very impressed with Whale Communications’ implementation – their e-Gap/AirGap (I always got confused between the two – Bharat) will certainly win the approval of the most demanding security departments. Microsoft bought Whale about a year ago (read previous post – “Microsoft buys Whale Communications“), and Whale appliances are now sold as Microsoft Intelligent Application Gateway 2007 – a part of Microsoft ForeFront security solutions.

Perhaps the Exchange team should seriously think about an Edge-like equivalent of the Client Access Server role – a server that can be located in the perimeter to provide secure access to OWA, OutlookAnywhere (RPC over HTTP), POP3, IMAP4, and ActiveSync. (I’m guessing the idea must have been bounced arond… ). Yes, ISA and the IAG can do it – but it may be a lot easier to deal with security folks if an Edge-like server role or appliance is available that can be located in the perimeter.

While we’re on the topic – since the Edge Transport server (and its CAS equivalent I proposed) do not need to be members of an AD Domain, it would be great to have these as appliances – stuff you plug-in, spend a few minutes configuring – perhaps using a web-based interface, and forget about.

Are you ready for the Edge and OWA Appliances?

{ 3 comments… read them below or add one }

Nite February 4, 2008 at 1:24 pm

So – nearly a year later, and where are we on this? Is there some better solution than using ISA or IAG?


Brian Frank March 11, 2009 at 4:04 pm

2 years later and we are still without a good soultion here! I really do not want to implement an ISA server just for this.


Bharat Suneja March 11, 2009 at 4:47 pm

After having worked with ISA 2006 (and forthcoming ForeFront Threat Management Gateway (TMG – the new name for ISA), I can say I really like ISA!

Download ForeFront Threat Management Gateway Beta 2.

Not the simple OWA appliance one wants for the DMZ, but it’s an impressive product nonetheless to securely publish Exchange (and other) services, as well as an excellent firewall/vpn product (Whitepapers), imo.


Leave a Comment

Previous post:

Next post: