CAS in the DMZ isn't supported. The only role that is supported in a DMZ is Edge. If you want something in a protected network for http traffic then ISA or similar product is your only choice.
While a frontend server was tolerated (despite it making no difference to the security of the network) Microsoft have decided that they will not support that type of configuration in the future. I would have to disagree with you Dean that CAS would be better in the DMZ. If the machine is compromised it doesn't help because you have to open access to the domain controllers, so all an attacker has to do is follow the traffic. I blogged on why Exchange in a DMZ is a bad idea two years ago: http://www.sembee.co.uk/archive/2006/02/23/7.aspx and still to date no one has given me a sound reason why putting any Exchange server in a DMZ is a good idea (except for Edge which is designed to). Simon. -- Simon Butler MVP: Exchange, MCSE Amset IT Solutions Ltd. e: [EMAIL PROTECTED] w: www.amset.co.uk w: www.amset.info Need cheap certificates for Exchange, compatible with Windows Mobile 5.0? http://CertificatesForExchange.com/ for certificates from just $23.99. Need a domain for your certificate? http://DomainsForExchange.net/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Cunningham Sent: 01 May 2008 01:37 To: Exchange Discussions Subject: RE: Exchange 2007 questions 2. If it is in its own DMZ then that is better than internal[1] - as always I disagree with you Ed on this one :->. Agree with using some form of web publishing as protection. For us we use two factor authentication and with encryption for any external access to eliminate any general HTTP/HTTPS attacks rather than web publishing. Cheers Dean [1]If you leave your CAS internal and it is compromised, whatever compromised it has all 64k network ports to probe your network and look for vulnerabilities. If your CAS is in its own DMZ and it is compromised then whatever has compromised it only has access to the ports the firewall has allowed the CAS to. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley Sent: Thursday, 1 May 2008 05:15 To: Exchange Discussions Subject: RE: Exchange 2007 questions 1. You can but you'll want to verify that your solution is on the supportability list. 2. Do not put the CAS in a DMZ. It's a huge security hole. Use a web publishing device or ISA server in the DMZ. (Edge doesn't do anything for OWA.) Putting a CAS or front-end server in your DMZ is tanatamount to militarizing it. That's against best practice. For licensing questions consult Microsoft's licensing website. But I think you already sort of know the answer to your questions. Now, if you're asking about the number of boxes you'll need as opposed to the number of licenses, I can help you with that. Depending on the number of users, you could put the mailbox, CAS and hub transport roles on the same box as long as you're not clustering (and I'm not talking about a virtual server box, I mean one Exchange 2007 server), so the minimum number is one server. So instead of buying a separate Exchange 2007 license for a CAS in your DMZ, buy an ISA license instead, have it do Web publishing of your OWA and combine the CAS with your mailbox server. Ed Crowley MCITP MCSE+I MCSE+M MCTS MVP "There are seldom good technological solutions to behavioral problems." ********************************************************************** Have you clicked on yet? www.nrc.govt.nz ********************************************************************** NORTHLAND REGIONAL COUNCIL This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify [EMAIL PROTECTED] ********************************************************************** _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
