2. If it is in its own DMZ then that is better than internal[1] - as always I disagree with you Ed on this one :->. Agree with using some form of web publishing as protection. For us we use two factor authentication and with encryption for any external access to eliminate any general HTTP/HTTPS attacks rather than web publishing.
Cheers Dean [1]If you leave your CAS internal and it is compromised, whatever compromised it has all 64k network ports to probe your network and look for vulnerabilities. If your CAS is in its own DMZ and it is compromised then whatever has compromised it only has access to the ports the firewall has allowed the CAS to. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley Sent: Thursday, 1 May 2008 05:15 To: Exchange Discussions Subject: RE: Exchange 2007 questions 1. You can but you'll want to verify that your solution is on the supportability list. 2. Do not put the CAS in a DMZ. It's a huge security hole. Use a web publishing device or ISA server in the DMZ. (Edge doesn't do anything for OWA.) Putting a CAS or front-end server in your DMZ is tanatamount to militarizing it. That's against best practice. For licensing questions consult Microsoft's licensing website. But I think you already sort of know the answer to your questions. Now, if you're asking about the number of boxes you'll need as opposed to the number of licenses, I can help you with that. Depending on the number of users, you could put the mailbox, CAS and hub transport roles on the same box as long as you're not clustering (and I'm not talking about a virtual server box, I mean one Exchange 2007 server), so the minimum number is one server. So instead of buying a separate Exchange 2007 license for a CAS in your DMZ, buy an ISA license instead, have it do Web publishing of your OWA and combine the CAS with your mailbox server. Ed Crowley MCITP MCSE+I MCSE+M MCTS MVP "There are seldom good technological solutions to behavioral problems." ********************************************************************** Have you clicked on yet? www.nrc.govt.nz ********************************************************************** NORTHLAND REGIONAL COUNCIL This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify [EMAIL PROTECTED] ********************************************************************** _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
