Client Access Server security
Hi All,I have a question about Client Access Server security. Our current Exchange 2003 system fairly simple, a back-end server inside the network with the front-end server sitting in the DMZ. We are current looking into an upgrade to Excahnge 2007.Reading the following two articles, placing the CAS inside the DMZ so we just perform a like-for-like transfer is not supported. http://technet.microsoft.com/en-us/library/bb232184.aspxhttp://blogs.msdn.com/brad_hughes/archive/2008/05/05/how-not-to-deploy-client-access-servers.aspxI have seen a lot of information about placing the CAS inside the LAN protected and published via ISA inside the DMZ. We don't have ISA servers and we didn't have any plans to deploy any. I wanted to call on other people's experience with this. How have you or would you set this up, what's worked for you in the past. Is ISA the only way to go? Thanks,Mark.
May 14th, 2009 2:07pm

Yes, CAS in DMZ not recommended/supported at all.... You can open a firewall port for the service you want to configure on CAS to publish on internet (without ISA), let's say to access OWA open port 443 from internet to CAS but it is less secure and reverse proxy verification doesn't happen which is possible with ISA to get just secure/vallid traffic from internet.Amit Tank | MVP - Exchange Server | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2009 4:08pm

Hi,I agree with Amit.You may try tostampIP to CAS with related port.Regards,Xiu
May 15th, 2009 9:46am

Hi Amit\Xiu,Thank you for your responses. So my options are either place ISA in the perimeter and then publish CAS through that. Or forward port 443 straight through the firewall to the internal IP of the CAS. How to Configure Reverse Proxy Servers for Outlook Web Access- http://technet.microsoft.com/en-us/library/bb266987.aspx Looking at the above link, the benefits of ISA in my situation can be summarised as SSL encryption\decryption (enabling ISA to perform checks on the data being sent to the CAS) and authentication (so that only authorised users can get a connection to the CAS via ISA). Is that correct? If so, could the authentication benefits be replaced by using something like the RSA web agents? And how much would you put yourself at risk by not having reverse proxy data inspection happening ... or are people using different reverse proxies to mitigate the risk (if so, which?). Are the risks of not having authentication and data inspection happening before the traffic hits the client access server something people are prepared to put up with in production and is CAS secure enough to hold it's own ... I don't want to put this straight on the internet just to have a breach blow up in my face a week later, but I also don't want to over engineer something that, at the moment is a fairly simple setup. As you may be able to tell I am not a security expert so hopefully someone can put my mind at ease about this. ThanksMark.
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2009 2:55pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics