What's the best way to configure Exchange 2013 Client Access role for Internet facing? I am thinking of using TMG with reverese proxy. Is TMG or some other reverese proxy the best way? or does Exchange 2013 have some sort of security that would allow me to simply NAT to the CAS server from the Internet? What's the recommended way of doing this? Can you point me to documentation that recommends a secure topology? Thanks The opptions as I see it: 1. NAT to CAS from the Internet 2. Reverse Proxy from the Internet using TMG 3. Publish CAS on TMG and authenticate users on TMG before getting to CAS. 4. Are there other options? Mike MomjianInfrastructure Architect

Hi, Since there is no Edge Role in Exchange 2013 for now, Microsoft are advising customers to use Exchange 2010 SP2 Edge Transport with Exchange 2013 as for a workaround. Thanks, Simon Wu Exchange Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

The most basic option is NAT to CAS. Windows 2008 R2 & Windows 2012 are much more security than previous versions of Windows and there is very low risk of an hack over HTTP. But there is still a risk of an attack affecting the Exchange server. A reverse proxy and application firewall solution, like TMG, is recommended to provide increase protection. #3 can also be done, but it is generally recommended to have authentication done by Exchange if TMG is only being used to public Exchange. If TMG is publishing other websites then you may want to do authentication on TMG to provide SSO. #4: Yes, there are several other reverse proxy and application firewall solutions out there.If this post helps to resolve your issue, please click the "Propose as Answer" If you find it helpful , mark it as helpful by clicking on "Vote as Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster. If you need an expert migration consultant to assist your organization feel free to contact me directly. Jason Sherry | Blog | Hire Me | Twitter: @JasonSherry Microsoft Infrastructure Architect, MCSE: M, MCTIP, Microsoft Exchange MVP

The most basic option is NAT to CAS. Windows 2008 R2 & Windows 2012 are much more security than previous versions of Windows and there is very low risk of an hack over HTTP. But there is still a risk of an attack affecting the Exchange server. A reverse proxy and application firewall solution, like TMG, is recommended to provide increase protection. #3 can also be done, but it is generally recommended to have authentication done by Exchange if TMG is only being used to public Exchange. If TMG is publishing other websites then you may want to do authentication on TMG to provide SSO. #4: Yes, there are several other reverse proxy and application firewall solutions out there.If this post helps to resolve your issue, please click the "Propose as Answer" If you find it helpful , mark it as helpful by clicking on "Vote as Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster. If you need an expert migration consultant to assist your organization feel free to contact me directly. Jason Sherry | Blog | Hire Me | Twitter: @JasonSherry Microsoft Infrastructure Architect, MCSE: M, MCTIP, Microsoft Exchange MVP

The most basic option is NAT to CAS. Windows 2008 R2 & Windows 2012 are much more security than previous versions of Windows and there is very low risk of an hack over HTTP. But there is still a risk of an attack affecting the Exchange server. A reverse proxy and application firewall solution, like TMG, is recommended to provide increase protection. #3 can also be done, but it is generally recommended to have authentication done by Exchange if TMG is only being used to public Exchange. If TMG is publishing other websites then you may want to do authentication on TMG to provide SSO. #4: Yes, there are several other reverse proxy and application firewall solutions out there.If this post helps to resolve your issue, please click the "Propose as Answer" If you find it helpful , mark it as helpful by clicking on "Vote as Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster. If you need an expert migration consultant to assist your organization feel free to contact me directly. Jason Sherry | Blog | Hire Me | Twitter: @JasonSherry Microsoft Infrastructure Architect, MCSE: M, MCTIP, Microsoft Exchange MVP

The most basic option is NAT to CAS. Windows 2008 R2 & Windows 2012 are much more security than previous versions of Windows and there is very low risk of an hack over HTTP. But there is still a risk of an attack affecting the Exchange server. A reverse proxy and application firewall solution, like TMG, is recommended to provide increase protection. #3 can also be done, but it is generally recommended to have authentication done by Exchange if TMG is only being used to public Exchange. If TMG is publishing other websites then you may want to do authentication on TMG to provide SSO. #4: Yes, there are several other reverse proxy and application firewall solutions out there.If this post helps to resolve your issue, please click the "Propose as Answer" If you find it helpful , mark it as helpful by clicking on "Vote as Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster. If you need an expert migration consultant to assist your organization feel free to contact me directly. Jason Sherry | Blog | Hire Me | Twitter: @JasonSherry Microsoft Infrastructure Architect, MCSE: M, MCTIP, Microsoft Exchange MVP

EDGE is only for SMTP, it doesn't not provide HTTPS client access to Exchange.If this post helps to resolve your issue, please click the "Propose as Answer" If you find it helpful , mark it as helpful by clicking on "Vote as Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster. If you need an expert migration consultant to assist your organization feel free to contact me directly. Jason Sherry | Blog | Hire Me | Twitter: @JasonSherry Microsoft Infrastructure Architect, MCSE: M, MCTIP, Microsoft Exchange MVP

EDGE is only for SMTP, it doesn't not provide HTTPS client access to Exchange.If this post helps to resolve your issue, please click the "Propose as Answer" If you find it helpful , mark it as helpful by clicking on "Vote as Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster. If you need an expert migration consultant to assist your organization feel free to contact me directly. Jason Sherry | Blog | Hire Me | Twitter: @JasonSherry Microsoft Infrastructure Architect, MCSE: M, MCTIP, Microsoft Exchange MVP

EDGE is only for SMTP, it doesn't not provide HTTPS client access to Exchange.If this post helps to resolve your issue, please click the "Propose as Answer" If you find it helpful , mark it as helpful by clicking on "Vote as Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster. If you need an expert migration consultant to assist your organization feel free to contact me directly. Jason Sherry | Blog | Hire Me | Twitter: @JasonSherry Microsoft Infrastructure Architect, MCSE: M, MCTIP, Microsoft Exchange MVP

EDGE is only for SMTP, it doesn't not provide HTTPS client access to Exchange.If this post helps to resolve your issue, please click the "Propose as Answer" If you find it helpful , mark it as helpful by clicking on "Vote as Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster. If you need an expert migration consultant to assist your organization feel free to contact me directly. Jason Sherry | Blog | Hire Me | Twitter: @JasonSherry Microsoft Infrastructure Architect, MCSE: M, MCTIP, Microsoft Exchange MVP