I have been requested to research the possibility of deploying two CAS roles, each with different sub-services. The request comes from a security stand-point of limiting the services available on the Activesync box should it ever be compromised. This isthe proposed setup:The firstCAS (installed on the MX server) would handleOutlook07, OWA, OAB. The second (stand alone role) would be for ActiveSync connectionsrouted through the firewall. Can the different tasks that the CAS role is responsible for be removed; and if so, is there any issues in doing so? The one thing I am concerned about is the Service Connection Point (SCP) is created in AD on role install. From what I read, the auto discovery could not work in this cause 50%of the time if one box is limited in services. Can this AD point be deleted? The other thing I read was that CAS servers have r/w access to all Exchange resources courtesy of the Exchange Server AD group, so extracting the ActiveSync sub-role might not be all it's cracked up to be anyway. We have relied on BES for remote device messaging, so the setup of ActiveSync is not too familiar to me. Feedback on security design in setting up an ActiveSync connector would be helpful. Jeremy

The best way to secure Outlook Web Access / Activesync like you're describing is to publish it with ISA 2006. You are correct in that each CAS can access AD and there wouldn't be a way to protect your environment in the event one is compromised. see here: Securing Exchange Server 2007 Client Access http://technet.microsoft.com/en-us/library/bb400932(EXCHG.80).aspx and here: Configuring ISA Server 2006 for Exchange Client Access http://technet.microsoft.com/en-us/library/aa997148(EXCHG.80).aspx

Yes, the best way to secure your server is publish it with ISA. Splitting CAS server role is not the best way. An good article for your reference: Exchange 2007 Security Guide http://technet.microsoft.com/en-us/library/bb691338.aspx Thanks, Elvis