I was having a discussion with some other network admins and we were wondering to what degree a solution like ISA/TMG offers increased security for a Exchange environment, if you used it, for example, to publish OWA. First, I'm assuming Exchange 2007 or 2010. OK. For some, any direct access to internal servers from the Internet is a bad thing. Yet, there are probably thousands of SBS environments where Exchange is exposed to the outside world, albeit through port 443 (and perhaps 80) only. And as far as I know, the Edge Transport role can provide antivirus, antispam and some policy functions (address re-write) but does not act as a reverse proxy (correct?). So, let's imagine an environment where: 1) The only inbound access to the Hub Transport server is from your hosted email filtering company (MX Logic, Postini). 2) The only access to the CAS is on port 443. 3) The CAS server respects commonly recommended guidelines for security: updates regularly applied, default admin account disabled or protected with long and complex password, logs monitored for failed logon attempts, possible application of security templates, and I could go on... So on one hand we have that and on the other, we add a ISA/TMG reverse proxy allowing us, among other things, the publish OWA. What exactly are we gaining security-wise from the reverse-proxy? Someone asked: if it's just shuttled the packets over to the CAS, what are we gaining?