1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exchange 2010 Edge Server - Active Sync

Discussion in 'Exchange Exams' started by craigie, Sep 30, 2011.

  1. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    We have clients who need to ensure they have no ports opended up to the internet for there LAN apart from SMTP mailflow which is locked down to the providers public IP's.

    All traffic is directed into the DMZ for any remote access and then validated via two factor authentication in the DMZ and based around group membership they get access to OWA, TS, SharePoint etc.

    Currently they use BlackBerry's as there mobile phones, however they want to move to using iPhones, Andriods etc.

    We have one server performing CAS/Hub and another which is the Mailbox Store. I was thinking about introducing a Edge Server and placing this into the DMZ, this would then take care of the SMTP mailflow, however I'm pretty sure that 443 need to be open to the CAS/Hub server on the LAN for this to work.

    I wouldn't be able to put the CAS role in the DMZ.

    Any thoughts?
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  2. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    Not sure about port 443 but I am pretty sure you need TCP port 25 and TCP port 50636 opened (for Edgesync over SSL)...
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  3. Shinigami

    Shinigami Megabyte Poster

    896
    40
    84
    Certifications: MCSE, MCITP, MCDST, MOS, CIW, Comptia
    WIP: Win7/Lync2010/MCM
  4. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Cheers Shinigami, that was the guide I was looking at.

    I was wondering if there was a way to make this work??
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  5. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    CAS servers are NOT supported in a DMZ, and by DMZ Microsoft define it as any network segment with port restrictions to the network segment that the Exchange servers reside

    to accomplish this we would normally deploy a reverse proxy server such as TMG which will straddle the DMZ and internal network and provide pre-auth capabilities and provide a lock down mechanism
    Internet -> TMG Open
    TMG -> Exchange restricted
    this may meet the clients needs
    but i spent a long time with a bank in Cali making them see the error of their ways (they also demanded CAS in the DMZ), ultimately, any imaginary security gain (putting a CAS server in a DMZ is a security loss) is significantly more risky than losing support on a mission critical system, so have them do the risk assessment
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
    craigie likes this.
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Yup, used to stick ISA 2006 as a reverse proxy in the DMZ to then forward traffic to the resources on the LAN.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  7. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Cheers Phoenix, I thought I wasnt barking up the wrong tree.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5

Share This Page

Loading...