Exchange 2010 Reverse Proxy Discussion
I work as an architect\consultant with a lot of focus on Exchange 2010. When it comes to providing secure access to Exchange from the internet I use a reverse proxy like TMG\ISA. The benefits for me that TMG brings to the table in my opinion warrant the introduction of the product for the customer. I have been discussing my deployment architecture with my colleagues in the network\firewall team for a while now and I have been coming under some pressure that I am simply adding complexity for the customer’s by introducing a reverse proxy and the reverse proxy solves a problem that doesn’t really exist. The Exchange team states that OWA 2010 is secure by design so no need to harden IIS after installation. I am fully aware of the benefits that a TMG solution brings to Exchange with pre-authentication, terminating anonymous inbound internet connections outside the LAN, securing IIS paths etc. Assuming that best practice is adhered to in the form of patching OS, not running anything else on IIS etc., does anyone know if there is there any inherent security risk by redirecting port 443 from the firewall to the CAS server? Secunia Advisories on Exchange 2010 state no vulnerabilities and IIS 7 state none once fully patched. Exchange 2010 http://secunia.com/advisories/product/28234/ IIS 7 http://secunia.com/advisories/product/17543/
July 1st, 2011 6:44pm

Plenty of my customers do that. Plenty use ISA or TMG. One customer is a firewall vendor so they use their own reverse proxy.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2011 8:07pm

Ed Thanks for the reply although it doesnt answer my question. I am aware that people use the access methods described. I was looking for a discussion from the community on the merits of a reverse proxy if Exchange is already secure by design
July 6th, 2011 6:50pm

You'll probably get a better response to that in a security forum, then. The security guys are the ones who have real technical opinions on the value of web publishing. As I tried to say earlier, plenty of my customers pass web traffic straight to the server and I don't know of any problems there if they're diligent about keeping their servers patched. I do think that those who use ISA or TMG sleep a little better at night, though, and I would prefer to see an ISA/TMG configuration installed.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2011 10:46pm

It seems you have already mentioned a lot of merits in TMG J, “pre-authentication, terminating anonymous inbound internet connections outside the LAN, securing IIS paths” The article below has listed the features and benefits, not sure if you have seen it TMG: Features
July 8th, 2011 2:23am

We are using Linux (CentOS) and Apache mod proxy and it has worked fine for us. We use it for external OWA, ActiveSync and BES proxy'ing. Never once had a problem with it, and it allows us to use a wildcard cert on it instead of buying an expensive SAN certificate with tons of SAN's on it from a Trusted Certificate provider. Also, there are fewer patches and not a monthly patch cycle we have to coordinate downtime for. We run it on a VM too, with 1 vCPU and 1 gig of ram. But if you dont have VMWare or any sort of Virtual environment, you can use an old castaway server. It's not resource intensive at all. ISA is a pretty expensive solution when there are free products that work just fine.
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2011 5:06pm

For the CentOS / Apache solution, do you have a recommendations - versions, how-tos, gotchas?
February 3rd, 2012 9:09am

We looked into using a TMG but in the end decided against it. We felt that we had enough built in security with exchange. Since only 443 is open through the firewall and that the site is secured by SSL, even when a Anonymous users gets to the login page of OWA they still need valid credentials to login. if they already have valid credentials nothing will stop them. TMG is nice and the benefits are nice but i think it really depends on the company. I believe what factors that drive these discussions is on business need. If a company has strict security policies, or if a company is willing to accept a certain amount of risk. Every company is different and some may require the extra layer of security, but honestly if you harden your server with SCW and do common sense stuff like updates, patches, AV etc you really should be fine without one. This is my opionon.
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2012 4:38am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics