We have two servers setup with: One server being Edge Transport AND One server being hub/cas/mailbox roles. What I'd like to know is when publishing services such as: Outlook Anywhere OWA POP3 IMAP Which server do I forward traffic to from our firewall? Is it the server with the CAS role or can we forward it to the edge server and have it relay thetraffic over?

It's the CAS server. Have you got room for ISA 2006 there? ISA 2006 publishing the CAS server services you listed makes a real nice secure solution.

Thanks for the quick reply Neil. So I should publish all those services (including IMAP4 and POP3) and direct traffic from the firewall to the CAS server? Wouldn't this somewhat defeat the purpose of having an edge transport server though? I though the edge transport server was supposed to shield traffic from the internet to our firewall so external traffic is always somewhat terminated in the DMZ. As for ISA, we're currently using Juniper firewalls and I don't think management has intentions on changing it to MS ISA.

The Edge Transport server is an email hygiene server. See this: http://technet.microsoft.com/en-us/library/bb124701.aspx The MS way is to implement ISA to publish applications and services, like OWA et al, and for ISA to perform the authentication process. Therefore, external traffic is terminated at ISA where SSL decryption takes place. Then the connection is re-SSL'd to the CAS on the internal network. Probably not what you wanted to hear, but then I don't make the rules here.

Thanks for the answer Neil. I've used ISA extensively at my last job but not anymore at a larger consulting company as Cisco ASAs and Juniper firewalls seem to be praised much more. I haven't touched ISA for quite some time and the last version I worked with was 2004. I was definitely impressed with the improvements from 2000 but wasn't too impressed with the issues I had to deal with such as the compression filters after SP1/SP2 and some other issues after SP3. Thanks again.