I work as an architect\consultant with a lot of focus on Exchange 2010. When it comes to providing secure access to Exchange from the internet I use a reverse proxy like TMG\ISA. The benefits for me that TMG brings to the table in my opinion warrant the introduction of the product for the customer. I have been discussing my deployment architecture with my colleagues in the network\firewall team for a while now and I have been coming under some pressure that I am simply adding complexity for the customer’s by introducing a reverse proxy and the reverse proxy solves a problem that doesn’t really exist. The Exchange team states that OWA 2010 is secure by design so no need to harden IIS after installation. I am fully aware of the benefits that a TMG solution brings to Exchange with pre-authentication, terminating anonymous inbound internet connections outside the LAN, securing IIS paths etc. Assuming that best practice is adhered to in the form of patching OS, not running anything else on IIS etc., does anyone know if there is there any inherent security risk by redirecting port 443 from the firewall to the CAS server? Secunia Advisories on Exchange 2010 state no vulnerabilities and IIS 7 state none once fully patched. Exchange 2010 http://secunia.com/advisories/product/28234/ IIS 7 http://secunia.com/advisories/product/17543/

Ed Thanks for the reply although it doesnt answer my question. I am aware that people use the access methods described. I was looking for a discussion from the community on the merits of a reverse proxy if Exchange is already secure by design

You'll probably get a better response to that in a security forum, then. The security guys are the ones who have real technical opinions on the value of web publishing. As I tried to say earlier, plenty of my customers pass web traffic straight to the server and I don't know of any problems there if they're diligent about keeping their servers patched. I do think that those who use ISA or TMG sleep a little better at night, though, and I would prefer to see an ISA/TMG configuration installed.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

It seems you have already mentioned a lot of merits in TMG J, “pre-authentication, terminating anonymous inbound internet connections outside the LAN, securing IIS paths” The article below has listed the features and benefits, not sure if you have seen it TMG: Features

We are using Linux (CentOS) and Apache mod proxy and it has worked fine for us. We use it for external OWA, ActiveSync and BES proxy'ing. Never once had a problem with it, and it allows us to use a wildcard cert on it instead of buying an expensive SAN certificate with tons of SAN's on it from a Trusted Certificate provider. Also, there are fewer patches and not a monthly patch cycle we have to coordinate downtime for. We run it on a VM too, with 1 vCPU and 1 gig of ram. But if you dont have VMWare or any sort of Virtual environment, you can use an old castaway server. It's not resource intensive at all. ISA is a pretty expensive solution when there are free products that work just fine.

For the CentOS / Apache solution, do you have a recommendations - versions, how-tos, gotchas?

We looked into using a TMG but in the end decided against it. We felt that we had enough built in security with exchange. Since only 443 is open through the firewall and that the site is secured by SSL, even when a Anonymous users gets to the login page of OWA they still need valid credentials to login. if they already have valid credentials nothing will stop them. TMG is nice and the benefits are nice but i think it really depends on the company. I believe what factors that drive these discussions is on business need. If a company has strict security policies, or if a company is willing to accept a certain amount of risk. Every company is different and some may require the extra layer of security, but honestly if you harden your server with SCW and do common sense stuff like updates, patches, AV etc you really should be fine without one. This is my opionon.

Does yours work with RPC/HTTP? If so can you please post a config ?

I've never had any problem making Outlook Anywhere work through TMG using the standard publishing techniques documented in TechNet and elsewhere.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

I understand TMG will work fine. However I really don't want to spend the 3000 if I can help it.

Sorry, I thought that's what you were asking about. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."