publishing an exchange server

[ronron]

can anyone tell me what is the best and most secure way to publish an exchange2k7 server which resides in our corporate LAN to internet users (activesync, owa, etc.)?

because of budget constrains I cannot install an ISA/edge server on DMZ.
is port forwarding the way to go or is there another solution?

thanks...

[Danielpb]

Most scenarios I have seen use the Front end exchange server in the DMZ and allow comms to the LAN exchange server. This is normally quite secure.

Or is this already in place and you are looking for a more secure connection process from the outside?

[ronron]

Quote:

Originally Posted by Danielpb

Most scenarios I have seen use the Front end exchange server in the DMZ and allow comms to the LAN exchange server. This is normally quite secure.

Or is this already in place and you are looking for a more secure connection process from the outside?

Hi Daniel,
due to budget constrains I cannot afford an Edge (front end) server. my question is if there is a secure way to publish the internal exchange server using VPN-1's capabilities.

[Danielpb]

Hi,

The only extra sceurity I can think of is for the firewall to also request a user autherntication, once completed they will see the front end OWA login ect.

bit of a ball ache for the end user but adds extra security....

[mcnallym]

Believe me you do not want to do user authentication with OWA on Check Point. I have seen people insist trying this only to remove it as you get multiple login requests or attachments failing to come through. Basically it isn't reliable enough to use and I would strongly advise that you don't.

With Exchange 2007 then fundamental change to Exchange, no longer Front End/Backend but role.

Edge = SMTP security server to outside word
Hub = routes all mail between mailboxes and to the Edge Server
Client Access (CAS)= Client Access, wether OWA, Outlook, Outlook over RPC
Storage = stores Mailboxes

I guess when you say that you have no Edge Server then you are configuring the Hub to communicate directly with the outside world, or that you have a 3rd party smtp security such as Ironport or Mailsweeper.

For SMTP then you should NAT to the Hub, however for Accessing over the Internet you need to access the CAS role.

As such you will need to NAT the HTTPS or HTTP to the CAS server. Is this seperate from your Storage Role box or all in one.

I really would suggest that find the budget for an ISA box to provide the HTTPS security, or at the very least seperate your CAS from the rest of Exchange. I am guess that two factor authentication is also out of your budget.

[ronron]

Quote:

Originally Posted by mcnallym

For SMTP then you should NAT to the Hub, however for Accessing over the Internet you need to access the CAS role.

I have a mail gateway in DMZ which takes care of SMTP hygiene and routing for me.
what I need to know is if forwarding port 443 from checkpoint to my internal exchange2k7 server is a safe and secure way to go and/or if there is another, better way to achieve my goal - making owa/activesync/outlookanywhere available to users from outside our corporate network when they are away.
and yes - all roles are installed on one server ("typical" installation)...

thanks :-)

[mcnallym]

I would not do it myself allowing direct access to the Server that provides the Storage of the Mailboxes. That was effectively why you got front end / back end Exchange 2003 implementations.

If you really can't get an ISA 2006 box to put in front then I am guessing that not going to be able to seperate the CAS role either.

I am no expert on Exchange Licensing but does the licenseing work per server or does 1 Exchange Server License allow you to split the Roles across multiple boxes, ie you could install Storage and Hub on one box, the CAS on another and Edge on a third with 1 Exchange Server License. FOr you I am guessing just install onto 2 boxes Hub/Storage and CAS.

In short I would not consider sending HTTPS directly to my internal Exchange MailStore Server is secure and safe.

I would strongly suggest that either find the budget for an ISA Server or at the very least seperate the CAS Role from your Storage and Port Direct 443 to the CAS box, and place CAS in the DMZ.

Bear in mind that internal clients also access Exchange via the CAS so this may not be acceptable due to the load on the Firewall this generates.

[mcnallym]

Alternatively could look at an open source Proxy such as Suid that can do Reverse Proxy which is what you would be using ISA as in this case.

Not really used it myself so I can't say how good or if does https reverse proxy.

[ronron]

I see...
well, I guess ISA it is. thanks for the advice, guys...