CAS In DMZ Redux: Time For an OWA Appliance?

The number of times I continue to field this question is amazing - Can the Client Access Server be located in the perimeter (DMZ) network? I wrote about it not too long ago [read previous post titled "Locating Exchange Server 2007 CAS role in the perimeter?"]. Exchange folks continue to get the standard requirement/mandate from security departments - an internal server (i.e. one located behind the internal firewall) cannot be made accessible from the internet. The security rule of thumb for long has been - if it needs to be accessed from the internet, it resides in the perimeter.

Exchange Server 2007 Client Access Server (CAS) role is not supported in the perimeter. In fact, the only role that's supported and intended for the perimeter network is the Edge Transport server. Those new to Exchange Server 2007 cannot be blamed for contemplating the possibility of making the Edge Transport server "an OWA server". It resides in the perimeter any way, so why not?

The Edge Transport server role does not co-exist with any other server role, and it's typically not a member of your Active Directory domain. (You can locate it on the internal network if you wish, and you can install the Edge on a server that's a member of your AD domain - but that's not the intended purpose - Bharat).

The alternatives
a) You could open the necessary ports on your firewall(s) to make the CAS accessible from the internet. Yes, that's a non-starter for most. The thought may seem scary, or you may run the risk of being laughed out of your job by the security folks.
b) Publish CAS using an application-aware or application-layer firewall/SSL VPN. Microsoft's ISA Server does the job really well.

I've been very impressed with Whale Communications' implementation - their e-Gap/AirGap (I always got confused between the two - Bharat) will certainly win the approval of the most demanding security departments. Microsoft bought Whale about a year ago (read previous post - "Microsoft buys Whale Communications"), and Whale appliances are now sold as Microsoft Intelligent Application Gateway 2007 - a part of Microsoft ForeFront security solutions.

Perhaps the Exchange team should seriously think about an Edge-like equivalent of the Client Access Server role - a server that can be located in the perimeter to provide secure access to OWA, OutlookAnywhere (RPC over HTTP), POP3, IMAP4, and ActiveSync. (I'm guessing the idea must have been bounced arond... ). Yes, ISA and the IAG can do it - but it may be a lot easier to deal with security folks if an Edge-like server role or appliance is available that can be located in the perimeter.

While we're on the topic - since the Edge Transport server (and its CAS equivalent I proposed) do not need to be members of an AD Domain, it would be great to have these as appliances - stuff you plug-in, spend a few minutes configuring - perhaps using a web-based interface, and forget about.

Are you ready for the Edge and OWA Appliances?

Outlook on a stick?

IBM's just released Lotus Notes 7.0.2 has a cool new feature that IBM's been touting all over the place - Notes on a stick. It lets you copy your Notes Desktop on a USB stick (or other such devices, including an iPod. Hint: Justification for writing off that iPod as a business expense... it's a storage device.. :).

You can take the USB drive or similar device to another computer running Windows and plug it in - you get your Notes Desktop. You don't need to install any software on the destination computer. While not connected to your network, you have a complete offline copy to work with, and it serves as a connected Notes Desktop with full functionality when you do have access to your vpn.

I'm hoping folks in Outlook/Exchange groups are watching this development and planning something similar.

It would be a great idea to have a complete Outlook environment - including Microsoft Outlook client and your entire mailbox, including your Outlook rules - on a USB drive that you could simply plug into any computer and access your email - offline and online - without having to install Outlook, creating a profile, or copying a PST. When you unplug the USB drive, there are no files or traces left on the destination computer.

As a sidenote, Exchange Server 2007 does have an AutoDiscover feature that automatically configures the Outlook profile - it requires Outlook 2007 client.

Message Tracking as part of OWA/Outlook

Message Tracking is one thing I've since long wanted to see built into the client - either as an OWA-only feature or perhaps in OWA and Outlook.

Problem: Users want to find out where a message they sent ended up - was it delivered? At what time? To which server? Same thing for inbound messages.

Solution: This is now an admin task, but perhaps just as easily implemented on the client side to let users do it themselves if they wish. Users can be allowed to track only those messages they sent or inbound messaages sent to them. The easiest implementation is perhaps to build the necessary web pages that query the tracking logs into the OWA interface (just like deleted message recovery is right now).

I threw the idea out there to the Exchange product team during TechEd. Let's see if Microsoft finds this feature useful enough to include it in Exchange.

Message Tracking in Exchange System Manager is great, but when you save the tracking info it is saved as XML only. There are no other options. Users find that info hard to comprehend when they come across it (with all XML tags, et al).

Another neat addition to that would be to include a little form with email fields that an admin can type in, to send that info to the concerned persons in a presentable format. It could have the internal recipient's email address already populated, and optionally one could enter addresses of more internal or external recipients.