Hate to get all retro here, but i must. Hopefully this is a pretty easy answer. Single Exchange 2003 SP2 server running on windows 2003 R2 - this machine is an internally addressed machine, with no direct access from the internet (it's fronted by two ironport public servers) We currently host our own BES and the powers that be, want to look at moving from our berrys to iphones. I've read a bunch of docs, and it looks pretty straightforward, just have a question. Since our exchange box doesn't currently have direct access from outside, i guess i have two choices: Add a public static NAT to our internal exchange box - easily done, but is this a good idea. This machine is patched and everything, but it is a domain member and typically with all the MS networking stuff on it, probably not as hardened as it should be. Put a machine in our DMZ that would handle the connectivity from the outside\inside to our exchange machine - is this even doable? What components would have to be installed on it? thanks. Danny

Option and and 2 are both possible. For option 2 you would need to put a E2K3 front-end server in your DMZ, have a look here (http://www.kbrandt.com/2009/02/moving-a-front-end-exchange-2003-server-into-your-dmz.html) for details. The other option would be to place a reverse proxy (ISA, TMG etc) in the DMZ and use it for ActiveSync reverse proxy. See here (http://technet.microsoft.com/en-us/library/bb794845.aspx) for details on how to set this up. My personal preference would be to set up ISA. It requires less firewall changes and is a lot more likely to get passed your security team than a direct NAT to the existing Exchange server or placing a FE server in the DMZ.Matt Cline - MCSE+M, MCITP: EA | EMA (2007, 2010) | Lync 2010 Blog: exchangeadventures.com

Hello, I would choose the second option and deploy an Front-end Exchange Server. Thanks, Simon