Ok, I hope this is the correct forum to put this in... We run a single Exchange 2007 server with approximately 200 users. 5 or so of these users now require Activesync from their mobile devices. All mobiles are running WinMo 6.1 so nothing curly there. Obviously we need to allow access from the internet to part of IIS on the exchange server. We have already setup and tested security on IIS itself (SSL, client certificates required) but I'm looking for some guidance as to how we should actually open up the server. Since this server is also running OWA for clients on the LAN we do NOT want to simply forward port 443 to the Exchange Server. From a bit of research I gather these are our options: 1. Restrict access by IP at the "Default Web Site" level of IIS to just the LAN then explicitly allow internet IPs to access the Microsoft-Server-Activesync virtual directory 2. Add a second IP address to the NIC, set up a separate site under IIS bound to the new IP, create a new Activesync VD under this new site then forward port 443 to this new site. 3. EDIT: Never mind, can't put secondary CAS in DMZ in 2007... 4. Use Squid or ISA or Apache in the DMZ to do reverse proxying to the exchange server Any input very much appreciated!

Optionsone andtwo are not particular secure. You ruled out option three; which by the way is what Microsoft says:Don't put CAS in the Perimeter network! http://msexchangeteam.com/archive/2009/10/21/452929.aspxThis leaves you with option four. Apache and squid will most likely work as a reverse proxy and to start with do port-forwarding, leaving port 443 wide open as a path-through port. You should do some research on what additional security features these applications offer for Exchange.Here are some reasons why I think ISA Server 2006 is the best solution (my bias, basically I think of ISA in this context as an extension to Exchange):* ISA is a full-full-featured firewall. It does SSL bridging, this means SSL protected packetsare decrypted by ISA Server 2006, inspected, and re-encrypted,before they are forwarded to your CAS server.* ISA does pre-authentication of the users accessing your CAS server* Very good monitoring and reporting tools* Extremely easy to configure with Exchange 2007, and there is excellent documentation on the net.* If you run into problems with ISA and Exchange, there are a lot ofhighly knowledgeable peoplethat will help you out.* Standard Edition is not cost-prohibitive.Internet Acceleration and Security (ISA) Server 2006 Product Overviewhttp://www.diraction.ch/shopdocs/files/Internet%20Acceleration%20and%20Security.pdf MCTS: Messaging | MCSE: S+M | Small Business Specialist

Thanks very much for the input. I would love to use ISA as we are moving towards being an mostly-MS shop (apart from perimeter devices of course) but the problem is that it's quite a hard sell to management when we're only talking about ~5 users inbound to it. Although it would also tick off a few questions hanging over our current web proxy... It also presumably requires a full-fat box whereas Apache will run happily on one of our little $150 ALIX embedded devices. Hmmmm. I may have to get out my begging cap and see if we can find a couple of thousand to get some ISA in here. Argh. Don't you just love project scope creep? Haha. Thanks again.