Good afternoon, all!

I'm working on a design and migration from dovecot to Exchange.  I think I have most of the high-level design work down but I ran across a question I haven't found a good answer for.

I want to have a reverse proxy server for OWA access outside my perimeter.  I also want to deploy Edge Transport server to handle anti-spam and anti-malware chores.  Can these two roles be combined in the same machine (virtual machine) or will I run into multiple headaches?

Thanks to all for looking!

Gregg

Hi Gregg,

Thank you for your question.

We could do IIS ARR in Exchange Edge server,

There are the following prerequisites:

1.        The IIS ARR server need not be domain joined. It's your choice to decide if you want to domain join this server or not.
2.        The IIS ARR server should have two NICs, one for the internal network and the other for the external network. TIP: To make sure you're configuring and using the right network interface, rename the NICs to Internal and External.
3.        If you're not using an internal DNS server, you should update the HOSTS file on the IIS ARR server so that it can perform name resolution for the internal CAS and the published Exchange namespaces.
4.        Make sure you have already set the Internal and External URLs for Outlook Anywhere, OWA, EWS and EAS, have your certificates installed correctly and this is all working as expected. If not, get it working first before you start adding ARR into the mix.

We could refer to the following link:

http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Hello, Jim!

Thanks for the reply!  I"m still working on some of the details for this design and found a couple of issues.

First, will I need to bind these services to particular interfaces?  That is, will the Edge Transport service stick to SMTP port 25 and ARR stick to port 80/443 - or is there a possibility of cross-traffic?  If so, I think I'd need to bind the services to a particular interface, at which point it's probably easier to go back to two separate VMs. 

Another interface issue also comes to the surface.  My VMs in the DMZ currently are NATed to the outside world.  This should take care of the dual interface requirement, as the NAT is handling the external interface traffic.  Would the NAT carry through on this design, or would there again be the possibility of cross-traffic and the resultant problems to deal with? 

Thanks for looking!

Gregg

Hi Gregg,

1) for your reverse proxy i recommand to use pre-auth solution protect your organisation against brute force attack. unfortunaltely, IIS-ARRS does not carry this feature. you can use ADFS and ADFS proxy (https://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx) adfs proxy is a reverse proxy and pre-authentification solution. A alternatively you can use kemp who are a HLB, Reverse proxy and pre-authentication solution base on linux (http://jaapwesselius.com/2013/05/08/kemp-edge-security-pack-for-exchange-2013/). they have a free edition. you can deploy the ADFS Proxy and Kemp in your DMZ.

2) For your Exchange edge server infrastructure, you can increase your security with Exchange Online Protection , Email Security.Cloud who are your active host of your edge server.

Yannick.

Hi Gregg,

1) for your reverse proxy i recommand to use pre-auth solution protect your organisation against brute force attack. unfortunaltely, IIS-ARRS does not carry this feature. you can use ADFS and ADFS proxy (https://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx) adfs proxy is a reverse proxy and pre-authentification solution. A alternatively you can use kemp who are a HLB, Reverse proxy and pre-authentication solution base on linux (http://jaapwesselius.com/2013/05/08/kemp-edge-security-pack-for-exchange-2013/). they have a free edition. you can deploy the ADFS Proxy and Kemp in your DMZ.

2) For your Exchange edge server infrastructure, you can increase your security with Exchange Online Protection , Email Security.Cloud who are your active host of your edge server.

Yannick.

Hello, Jim!

Thanks for the reply!  I"m still working on some of the details for this design and found a couple of issues.

First, will I need to bind these services to particular interfaces?  That is, will the Edge Transport service stick to SMTP port 25 and ARR stick to port 80/443 - or is there a possibility of cross-traffic?  If so, I think I'd need to bind the services to a particular interface, at which point it's probably easier to go back to two separate VMs. 

Another interface issue also comes to the surface.  My VMs in the DMZ currently are NATed to the outside world.  This should take care of the dual interface requirement, as the NAT is handling the external interface traffic.  Would the NAT carry through on this design, or would there again be the possibility of cross-traffic and the resultant problems to deal with? 

Thanks for looking!

Gregg

Hi ,

Issue1:

We neednt to bind those services to the particular interface.

Issue2:

We could carry through NAT, and dont worry about traffic.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Hello, Jim!

Thanks for the reply!  I"m still working on some of the details for this design and found a couple of issues.

First, will I need to bind these services to particular interfaces?  That is, will the Edge Transport service stick to SMTP port 25 and ARR stick to port 80/443 - or is there a possibility of cross-traffic?  If so, I think I'd need to bind the services to a particular interface, at which point it's probably easier to go back to two separate VMs. 

Another interface issue also comes to the surface.  My VMs in the DMZ currently are NATed to the outside world.  This should take care of the dual interface requirement, as the NAT is handling the external interface traffic.  Would the NAT carry through on this design, or would there again be the possibility of cross-traffic and the resultant problems to deal with? 

Thanks for looking!

Gregg

Hi ,

Issue1:

We neednt to bind those services to the particular interface.

Issue2:

We could carry through NAT, and dont worry about traffic.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Application Request Routing (AAR) has a couple of drawbacks when compared to Web Application Proxy (WAP). Yannick already mentioned one, and you can find the details in the first paragraph here. The Edge Transport server shouldn't be placed in an AD domain, as per this article. AAR can be installed on a non-domain joined machine (as per Jim's link), while WAP will need a domain-joined machine - essentially pointing to a 2-machine setup for this one.

I've also used Kemp - admittedly not for Exchange but for publishing certain Lync services and found it to be really stable.

In the end it's a trade off between features, number of machines and technologies.

Application Request Routing (AAR) has a couple of drawbacks when compared to Web Application Proxy (WAP). Yannick already mentioned one, and you can find the details in the first paragraph here. The Edge Transport server shouldn't be placed in an AD domain, as per this article. AAR can be installed on a non-domain joined machine (as per Jim's link), while WAP will need a domain-joined machine - essentially pointing to a 2-machine setup for this one.

I've also used Kemp - admittedly not for Exchange but for publishing certain Lync services and found it to be really stable.

In the end it's a trade off between features, number of machines and technologies.