Hello, I have a server inside my LAN which is my mail server (Exchange 2007) i have an issue where a consultant is telling me it is best to ask an authentification first from your firewall and not let the traffic go directly to my server on port 443 so basically before accessing the OWA they have to authentificate to the firewall which he manage and we are having so many issues cause of this setup with invalid certificate due to the external firewall... I was wondering if other admin just configure their firewall to allow the traffic for SSL to go directly to their internal mail server? I think i am having similar issue also with activesync because of his setup.

You typically dont authenticate on the firewall. I am not sure what type of firewall you are using but using a reverse proxy like ISA or TMG from MSFT is best practice for protecting and authenticating external clients. You would want this in the DMZ if you have one and NOT joined to the domain.Chris Morgan

I never really setup an ISA server myself so i will look at the documentation we have a Cisco Pix firewall which user get a pop up to authentificate and then it let them go to the OWA server afterward. The consultant was talking about having to connect through VPN in order to access the OWA afterward which is a secure way of course but if you try to access to your owa afterward from a client that doesn't have the VPN client installed it makes it quite useless i find...

Yeah you will want a reverse proxy. I wasnt aware the PIX had the capability you are speaking of. Its not longer supported by Cisco from what I understand. Doing that on the firewall doesnt make sense. Let the firewall do what it's built to do. Authentication isnt really what it's made for.Chris Morgan

Hi MartinMayer, When you install Exchange 2007, a self-signed SSL certificate is installed. It asks for an authentication. You can use this self-signed SSL certificate to encrypt communication between clients and the Client Access server, or you can replace the self-signed certificate with other certificate. To enhance the security of Client Access Server, Microsoft designed ISA 2006 to work together with Exchange 2007. ISA Server acts as an advanced firewall that can controls the traffic ports between Client Access Server and client. Here are more information you may need. Overview of Client Access Server Security: http://technet.microsoft.com/en-au/library/bb397224(EXCHG.80).aspx Managing Client Access Security: http://technet.microsoft.com/en-au/library/aa998023(EXCHG.80).aspx

Hi MartinMayer, When you install Exchange 2007, a self-signed SSL certificate is installed. It asks for an authentication. You can use this self-signed SSL certificate to encrypt communication between clients and the Client Access server, or you can replace the self-signed certificate with other certificate. To enhance the security of Client Access Server, Microsoft designed ISA 2006 to work together with Exchange 2007. ISA Server acts as an advanced firewall that can controls the traffic ports between Client Access Server and client. Here are more information you may need. Overview of Client Access Server Security: http://technet.microsoft.com/en-au/library/bb397224(EXCHG.80).aspx Managing Client Access Security: http://technet.microsoft.com/en-au/library/aa998023(EXCHG.80).aspx