Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
CAS servers in the DMZ
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
CAS servers in the DMZ - 27.Nov.2007 4:31:58 PM
|
|
|
wade001
Posts: 40
Joined: 26.Nov.2007
Status: offline
|
The offical stance from microsoft seems to be that a CAS server is not to be placed in the DMZ based on the amount of FW ports required to be opened between the networks. With the cost of ISA 1,400 per proccessor vs a standard lic for the CAS role 699 is seems a little costprohibitive for smaller organizartions. Also there seems to be some articles on site advocating CAS servers in the DMZ as a viable config. What are the real risk wtih this config and what does Microsofts unsupported configuration really mean??
Thanks
|
|
|
|
RE: CAS servers in the DMZ - 27.Nov.2007 5:31:44 PM
|
|
|
mark@mvps.org
Posts: 6811
Joined: 9.Jun.2004
From: Philadelphia PA
Status: offline
|
You, as a user of the server(s) are entitled to put any server in any place you want. Unsupported means that if you have a problem with the box and decide to call Microsoft directly for assistance they will tell you to put the box on the internal LAN and try to repeat the problem.
If you come here with a CAS problem and state that it's in the DMZ I for one will also tell you to put it in the right place but the difference here is that I'll go the extra mile to decide if the problem is remotely AD related (ergo f/w port related) before asking you to put it in the "right" place.
_____________________________
Mark Arnold (Exchange MVP)
List Moderator
|
|
|
|
|
RE: CAS servers in the DMZ - 27.Nov.2007 6:04:10 PM
|
|
|
wade001
Posts: 40
Joined: 26.Nov.2007
Status: offline
|
Thanks for you response. I have read in some other forums here that an acceptable option may be to leave the CAS server on the internal network but just adverstise required ports (443, 80, 25) externally i am asumming with a NAT. This does appears to be less secure or simlilarly secure as to sitting the box on the DMZ. Am i missing something is just natting a CAS server more secure than placing it into the DMZ and is this a viable option instead of using ISA??
Thanks
the post i was referring to....
([Microsoft Exchange 2007] >> Secure Messaging >> What is the difference)
|
|
|
|
|
RE: CAS servers in the DMZ - 27.Nov.2007 7:32:50 PM
|
|
|
mark@mvps.org
Posts: 6811
Joined: 9.Jun.2004
From: Philadelphia PA
Status: offline
|
All security is a trade off. If you put the CAS into the DMZ you expose the box and make Swiss Cheese out of the firewall. That's a risk. If you have the CAS in the DMZ and implement IPSec then that's a risk too (supportability and experience to manage it). If you put the CAS on the LAN then that's a risk (direct 443/25 to the LAN)
Personally I'd put it on the internal network because that's where I'll get the best support for it if things go awry.
_____________________________
Mark Arnold (Exchange MVP)
List Moderator
|
|
|
|
|
RE: CAS servers in the DMZ - 3.Dec.2007 10:45:32 PM
|
|
|
rparsons1000
Posts: 193
Joined: 29.Aug.2006
Status: offline
|
You will find debate after debate about this all over the place. Me personally, open 443 from the Internet and place it in the DMZ is ok though not perfect. Yes there are a few ports you have to open up from the server internally, about 6 but I think the security with it is fine. I have done my share of arguing with management to purchase an ISA server but our security expert seems do be against it....,
|
|
|
|
|
RE: CAS servers in the DMZ - 4.Dec.2007 12:24:33 AM
|
|
|
rishishah
Posts: 784
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
I work within the very secure arena and there are way to deploys the CAS on the DMZ.
Microsoft commercial arm will tell you it cannot be done but there are other parts of microsoft that specifically support this area and are happy to support the CAS in the DMZ. Obviously you may not get access to this part of Microsoft if things go wrong.
Sorry i am being hazzy but that is all i can say in a public forum. Expect if youput it behing an ISA2006 and than stick in on the DMZ it should work a treat. Open the correct ports to other exchange servers and define manually which DCs you want it to contact.
_____________________________
Rishi Shah, MCP
Remember to backup before applying the advice. www.saiconsult.co.uk. Happy to provide Professional Exchange Server Consultancy to anywhere in the world.
|
|
|
|
|
RE: CAS servers in the DMZ - 4.Dec.2007 3:35:23 AM
|
|
|
neilho
Posts: 793
Joined: 25.Oct.2004
From: UK
Status: offline
|
The "commerical arm" as you call it states that it's not supported, not that it cannot be done - a very different thing. "Not supported" typically means "not fully tested" and thus you could, potentially, be on your own if you raise a PSS call (although my experience is that they're unlikely to simply put the phone down on you).
Also, for the benefit of anyone else reading this thread, to be clear about the term "DMZ", it's my understanding after speaking with Exchange product group members that it's the dirty perimeter network we are referring to here. For example, someone using ISA on the internal network to separate CAS and Mailbox servers (it happens, such as in educational environments) is running an acceptable configuration as far as Microsoft is concerned.
_____________________________
Neil Hobson
http://www.msexchange.org/Neil_Hobson
http://www.simple-talk.com/author/neil-hobson/
|
|
|
|
|
RE: CAS servers in the DMZ - 4.Dec.2007 6:10:29 AM
|
|
|
rishishah
Posts: 784
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
Neilho is correct, Yes the ISA configuration (DMZ) is supported by Microsoft PSS.
_____________________________
Rishi Shah, MCP
Remember to backup before applying the advice. www.saiconsult.co.uk. Happy to provide Professional Exchange Server Consultancy to anywhere in the world.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
