Exchange 2010 Edge Server - Active Sync

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

We have clients who need to ensure they have no ports opended up to the internet for there LAN apart from SMTP mailflow which is locked down to the providers public IP's.

All traffic is directed into the DMZ for any remote access and then validated via two factor authentication in the DMZ and based around group membership they get access to OWA, TS, SharePoint etc.

Currently they use BlackBerry's as there mobile phones, however they want to move to using iPhones, Andriods etc.

We have one server performing CAS/Hub and another which is the Mailbox Store. I was thinking about introducing a Edge Server and placing this into the DMZ, this would then take care of the SMTP mailflow, however I'm pretty sure that 443 need to be open to the CAS/Hub server on the LAN for this to work.

I wouldn't be able to put the CAS role in the DMZ.

Any thoughts?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Not sure about port 443 but I am pretty sure you need TCP port 25 and TCP port 50636 opened (for Edgesync over SSL)...

 

Edge servers communicate with Hub Transport servers, not CAS. CAS publishes OWA, EAS, etc to the internet via a reverse proxy, not via the Edge. More port info here: Exchange Network Port Reference: Exchange 2010 SP1 Help

 

Cheers Shinigami, that was the guide I was looking at.

I was wondering if there was a way to make this work??

 

CAS servers are NOT supported in a DMZ, and by DMZ Microsoft define it as any network segment with port restrictions to the network segment that the Exchange servers reside

to accomplish this we would normally deploy a reverse proxy server such as TMG which will straddle the DMZ and internal network and provide pre-auth capabilities and provide a lock down mechanism
Internet -> TMG Open
TMG -> Exchange restricted
this may meet the clients needs
but i spent a long time with a bank in Cali making them see the error of their ways (they also demanded CAS in the DMZ), ultimately, any imaginary security gain (putting a CAS server in a DMZ is a security loss) is significantly more risky than losing support on a mission critical system, so have them do the risk assessment

 

Cheers Phoenix, I thought I wasnt barking up the wrong tree.