umphmharding wrote: Aside from being not supported by Microsoft, has anyone placed an Exchange 2010 CAS server in a DMZ? It looks like the reasoning behind it was because you'd have to punch so many holes in the firewall, it wasn't worth it. But since the PAN has a little more flexibility, I wouldn't think it would be a problem. Hi. We went through this entire scenario (and I'm not real happy with Microsoft's stupid reasoning behind not supporting a CAS in a DMZ), and it's difficult to make work. The PA identifies *MOST* of the applications involved - activesync, ms-exchange, ms-netlogon, ms-ds-smb, kerberos, SSL, dns, LDAP, ping & msrpc are the commonest ones, there *are* some "unknown tcp" transactions, and even worse some "incomplete" transactions reported - which makes it hard to setup decently. That's metric buttload of applications to put in a security policy and still not catch 'em all. The "unknown" and "incomplete" sessions are a worry because they seem to be on random, varied ports, which makes it worse to try and write an application override to catch them. I've ended up putting in a temporary "allow all" from the CAS server to the DC's and MBX server inside, but I'll be switching to the M$ "recommended" method of inbound NAT for Activesync and ssl/web browsing and moving the CAS inside. I'll also have to put in a a U-Turn NAT for Activesync devices which access from inside - because the DNS record for our Activesync server returns a public IP address in my DMZ and, guess what, it's the one I NAT from the outside to inside - it doesn't physically exist in the DMZ. I'm not reaql happy about it from a security point of view - I *shudder* at letting NAT'd traffic originated from outside back in, but Microsoft's "alternative" of putting in an IAS (sorry, "Threat Detection Server") is even worse - put in a server with two NIC's, one in the DMZ and one inside, so you can just concentrate on compromising the IAS server and then have full access to the inside network - so there's not much other option. My choice would be to tell Microsoft to take Exchange and show it firmly where the sun doesn't shine, then put in a nice *nix based mail server, but unfortunately the executives don't agree with me, so I'm stuck with it. Cheers.
... View more