Some Questions About Connecting to CAS Using Reverse Proxy RRS feed

  • Question

  • Hi, lots of questions i have  about publishing CAS, putting it in DMZ and ..

    As many people and links suggest, The CAS should not be put in DMZ and that's because:

    the CAS should be open to Mailbox and DC's so the connection will be available from outside to important internal servers like DC and Mailboxes so it is not secure

    and the fact that firewall problems and block rules between CAS and mailbox and .. servers is not supported by microsoft

    first of all please correct me about above reasons if I am wrong

    As i know reverse proxy gets external user credentials, take it into the exchange CAS server and verifies it. am i right here ? and if so, what is the next step ? again after authentication, external user can have access to mailbox server somehow and it is again dangerous ! help me about this.

    the next question is what device or solution you recommend for using reverse proxy ? we have Cisco ASA firewalls ! are they good for this task ?

    another question is that, assuming i made OWA secure using ASA and reverse proxy, so what about the outlook anywhere clients and Activesync users ? how they are authenticating ? how should CAS be made available to them if it is not in DMZ ?

    sorry ! lots of question but i like to make my exchange organizaiton as secure as possible

    Thursday, January 24, 2013 5:59 AM