Hi all,
Due to how the network team here has configured out internet circuits, I am forced to put my Exchange 2007 SP3 CAS in our DMZ. I know this is bad. I have brought up the concerns of Sembee's blog and Brad Hughes blog and the official MS documents
several times, but every time I am assured that our routing will not allow the CAS to function inside the DMZ. The additional wrinkle being that remote offices on my network cannot reach the DMZ internally, so I will have all kind of certificate problems
with my Outlook clients if I try to use the external webmail name as my internal certificate.

What I need to do is have a DMZ CAS to handle the OWA and ActiveSync connections, and an internal CAS to handle services and autodiscovery. Both of those CAS servers will have to be in the same active directory site, however the MS documentation (Understanding
Proxying and Redirection) is written assuming the two CAS servers will be in different AD sites.
Will I run into problems if I simply install another Exchange 2007 CAS server into my home office AD site and leave that CAS server on my LAN, while my current CAS server remains in the DMZ? The DMZ CAS will then have an external URL matching my third
party SSL certificate and an internal URL of its own computer name. My LAN CAS would have an external $N$Null address and an internal address of its own computer name.

Appreciate any insight!

There is an amazing pack of free network admin tools. click here to download it

Hi
Even if you somehow get this to work, it will be an unsupported configuration. You cannot place firewalls between CAS and Mailbox servers as they use random high range RPC ports to communicate with each other.
I'm guessing that your network guys cannot (or will not) route inbound traffic from the internet directly to the LAN - this is a fairly common situation but trying to put a CAS in the DMZ isn't going to help matters. The best solution would be to install
a TMG (or two in an array) into your DMZ and use that to terminate the client connections and reverse proxy to your CAS on the internal LAN.
Cheers, Steve

There is an amazing pack of free network admin tools. click here to download it

I do understand it is not a supported configuration, but I don't have any choice. If I can't get this to work, I'm going to end up with Outlook 2007 certificate errors at all of my remote sites. I don't expect I'll have the resources to get TMG
or Forefront and do any reverse proxying. The closest I might pull off is to put an Edge Transport server in the DMZ, but with a relatively new Barracuda smart host, I don't expect that's going to be a popular decision.

Need to support users over the internet? click here try our remote control online beta

The edge transport server will not really give you any benefit over what your Barracuda is doing for you right now, it however is the only type of Exchange server that can sit in the DMZ. If you cannot implement a TMG then your solution will not work
as a CAS in the DMZ will not function.
Exchange servers communicate using random high range RPC ports so the firewall would need to be completely open between the servers - so that would make you DMZ pointless in any case.
Steve

Need to support users over the internet? click here try our remote control online beta

The edge transport server will not really give you any benefit over what your Barracuda is doing for you right now, it however is the only type of Exchange server that can sit in the DMZ. If you cannot implement a TMG then your solution will not work
as a CAS in the DMZ will not function.
Exchange servers communicate using random high range RPC ports so the firewall would need to be completely open between the servers - so that would make you DMZ pointless in any case.
Steve

There is an amazing pack of free network admin tools. click here to download it

As Steve said this is a unsupported configuration for MANY reasons. It would be MUCH more secure to allow port 443 traffic directly to the Exchange server on the inside network.
Where is the DC that Exchange is using, is there also one in the DMZ or are all ports open between the Exchange server in the DMZ and the other Exchange server and DC on the internal network?
Having port 443 traffic route right from the Internet to your internal Exchange server isn't recommended, but it's more secure than putting an Exchange server in the DMZ and opening up the internal firewall as needed so Exchange will work. The best solution
would be to have TMG or other reverse proxy solution in the DMZ allowing access to Exchange.
To eliminate the certificate issues you can just get a SAN\UC certificate with the internal and external names in it.If this post helps to resolve your issue, please click the "Propose as Answer" If you find it helpful , mark it as helpful by clicking on "Vote as Helpful" button at the top of this message. By marking a post as Answered, or Helpful
you help others find the answer faster. If you need an expert migration consultant to assist your organization feel free to contact me directly.

Jason Sherry | Blog |
Hire Me | Twitter: @JasonSherry
Microsoft Infrastructure Architect, MCSE: M, MCTIP, Microsoft Exchange MVP

Need to support users over the internet? click here try our remote control online beta

As Steve said this is a unsupported configuration for MANY reasons. It would be MUCH more secure to allow port 443 traffic directly to the Exchange server on the inside network.
Where is the DC that Exchange is using, is there also one in the DMZ or are all ports open between the Exchange server in the DMZ and the other Exchange server and DC on the internal network?
Having port 443 traffic route right from the Internet to your internal Exchange server isn't recommended, but it's more secure than putting an Exchange server in the DMZ and opening up the internal firewall as needed so Exchange will work. The best solution
would be to have TMG or other reverse proxy solution in the DMZ allowing access to Exchange.
To eliminate the certificate issues you can just get a SAN\UC certificate with the internal and external names in it.If this post helps to resolve your issue, please click the "Propose as Answer" If you find it helpful , mark it as helpful by clicking on "Vote as Helpful" button at the top of this message. By marking a post as Answered, or Helpful
you help others find the answer faster. If you need an expert migration consultant to assist your organization feel free to contact me directly.

Jason Sherry | Blog |
Hire Me | Twitter: @JasonSherry
Microsoft Infrastructure Architect, MCSE: M, MCTIP, Microsoft Exchange MVP

There is an amazing pack of free network admin tools. click here to download it