none
Setting up a second 'CAS only' server in DMZ RRS feed

  • Question

  • I've searched online and have not found a definitive answer to my question.  We currently have a Exchange 2010SP1 server running all services.  Inbound email is directed to a mail security appliance in our DMZ, and then forwarded to the Exchange Server.  We currently do not have any ActiveSync or OWA access.  Here is a diagram:

    Exchange Configuration

    We want to put a 'CAS only' server in the DMZ to allow for ActiveSync and OWA.  My research indicates that the only port that needs to be opened to allow access from the Internet is 443.  KB259369 states that 990, 999, 5721, 5678, 5679 and 26675 need to be open for ActiveSync to work.  This is where I am confused.  Are these ports necessary for Internet connectivity?  Or are these necessary between the two Exchange Servers?  If not, what ports are needed for communications between the two Exchange Servers?  Do I also need 135/139/445 to allow AD communications?

    For security reasons, I need to restrict communication to/from this new Exchange Server to only the ports/protocols necessary from both the LAN and the WAN.

    Any links to articles/posts would be really helpful.

    Thanks,

    Eric

    Tuesday, March 5, 2013 7:48 PM

Answers

  • Although putting a CAS in a DMZ was common maybe 10 years ago, these days it isn't considered a good thing to do. Try searching for 'CAS in DMZ' and you'll find lots of articles telling you why you ought not to do it. So, for that reason, you won't find any articles telling how to do it.

    Having said that, if you are sure that you still want to do it, then all the ports you mention are only required for the server's participation in Active Directory and the Domain. On the internet side, you will just want to have 443 open (unless you also want SMTP and IMAP and/or POP).


    blog.leederbyshire.com


    • Edited by Lee Derbyshire Thursday, March 7, 2013 12:39 PM
    • Marked as answer by WingFan Monday, September 9, 2013 10:49 PM
    Thursday, March 7, 2013 12:38 PM

All replies

  • Although putting a CAS in a DMZ was common maybe 10 years ago, these days it isn't considered a good thing to do. Try searching for 'CAS in DMZ' and you'll find lots of articles telling you why you ought not to do it. So, for that reason, you won't find any articles telling how to do it.

    Having said that, if you are sure that you still want to do it, then all the ports you mention are only required for the server's participation in Active Directory and the Domain. On the internet side, you will just want to have 443 open (unless you also want SMTP and IMAP and/or POP).


    blog.leederbyshire.com


    • Edited by Lee Derbyshire Thursday, March 7, 2013 12:39 PM
    • Marked as answer by WingFan Monday, September 9, 2013 10:49 PM
    Thursday, March 7, 2013 12:38 PM
  • Thanks for the reply.

    I had been doing further research and did find some articles indicating that this configuration is not recommended anymore.  It looks like reverse proxy in the DMZ forwarding the mobile or OWA traffic to the Exchange Server on the LAN is now the recommended method.  Obviously, Microsoft recommends Forefront UAG, but I'm not sure we have the budget for that considering this is only to support a small number of users (i.e. 10 or less).

    Our firewall may have the ability, but I'm not sure how easy it is to configure.  Guess I need to do more digging.

    Thanks.

    Thursday, March 7, 2013 9:40 PM
  • Any modern firewall (sold in the last five years) should do what you are looking for. I can't imagine anyone would be able to sell one that didn't. Have a look at your router's admin menu. First, make sure that web-based admin from the internet side is not enabled (unless you really, really want it). You should hopefully see a category for 'NAT' (Network Address Translation), but it may also be called something like Virtual Servers (which is what it is confusingly called on mine). Decide which ports you want to go where (25 for SMTP, 443 for OWA and other web access, possibly 143 for IMAP). Anything else coming in from the outside world will then just have nowhere to go.

    blog.leederbyshire.com

    Friday, March 8, 2013 10:23 AM
  • Well, I know our firewall does NAT because we already have it set up for several things.  But I was under the impression that reverse proxy was different than NAT, although I don't know exactly how they are different.  Our biggest concern is opening a port direct from the Internet to the LAN.  We would rather have something in the DMZ relay between the two.

    Thanks for the input.

    Eric

    Saturday, March 9, 2013 12:32 AM