Re: new exchange admin over his head by infinitiguy
infinitiguy
Wed Jul 16 15:47:34 CDT 2008
all very good info..
one follow-up question. It looks like to be able to get this to work
properly then with my current infrastructure I'm going to need to deploy an
ISA server in my DMZ. If I do so, are there any precautions I need to look
out for in regards to the rest of my DMZ environment? What kind of holes
will I have to put in my checkpoint firewall for the ISA server to work
properly? If my only goal is to get activesync working does the ISA server
then only need to communicate 443 in and out of the network?
"Bharat Suneja [MSFT]" <bsuneja@online.microsoft.com> wrote in message
news:eCJ7S935IHA.2240@TK2MSFTNGP02.phx.gbl...
>
> Responses inline.
> --
> Bharat Suneja
> Microsoft Corporation
> blog: exchangepedia.com/blog
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights. Please do not send email directly to this alias. This alias is for
> newsgroup purposes only.
> ----------------------------
>
>
>
>
> "infinitiguy" <derek@iona.com> wrote in message
> news:4CBFE9BB-763B-47B7-83C3-A8D46ED213D9@microsoft.com...
>> dont think my reply post went through..
>> -------------------
>> Hrmm, I'm confused. I thought activesync worked through OWA.
>
> No, it doesn't work through OWA - but like OWA, it uses HTTP(S), and
> therefore opening the HTTPS port (tcp 443) takes care of both OWA, EAS
> (Exchange ActiveSync), in addition to Outlook Anywhere (aka "RPC over
> HTTP(S)).
>
>> I guess I'm
>> wrong there. So, in an organization that has an owa server publically
>> available over the net. Https://mail.mycompany.com that server that
>> gets
>> hit is running OWA. Am I correct in assuming that same server isn't the
>> mail server that serves the company.
>
> - Depends - if the Mailbox and CAS (Client Access Server) roles reside on
> the same server, the server will/can host mailboxes.
>
>
>> Instead its a front end server,
>> correct? That front end server could sit in a DMZ and then forward
>> traffic
>> to a back end server sitting behind the firewall, not publically
>> available.
>
> The Exchange 2007 equivalent of Exchange 2003/2000 Front-End servers is
> the Client Access Server role. Whereas Exchange 2003 Front-Ends were
> supported in perimeter networks (DMZs), Exchange 2007 CAS servers are *not
> supported* in such a topology (that is, separated from mailbox servers by
> a firewall... ). They need to reside on the "internal" network.
>
>>
>> I think maybe I don't understand exactly how activesync works because
>> I've
>> never tried it before. I poked around exch 2k7 and I see that I can
>> enable
>> my mailbox for activesync, and within the server config there is an
>> activesync URL.
>
> Exchange ActiveSync (EAS) uses HTTP(S). HTTP support is provided by IIS.
> You will see a virtual directory in your default web site for EAS. This
> also means opening a single port allows access to OWA, EAS, and Outlook
> Anywhere (aka "RPC over HTTP(S)").
>
>>
>> I'm uncomfortable passing ssl traffic to my exchange host and I know my
>> vpn
>> concentrator does not support SSL in terms of using a client to access
>> over
>> ssl(only web based ssl..)
>>
>> When you say using ISA Server 2006.. what would that give me to allow me
>> to
>> accomplish a secured, but publicly accessible exchange environment?
>
> ISA inspects application layer traffic, is application-aware, and makes
> securely publishing Exchange services like OWA, EAS, Outlook Anywhere,
> etc. an easy task.
>
>> -------------------------------
>>
>> "Bharat Suneja [MSFT]" <bsuneja@online.microsoft.com> wrote in message
>> news:uVaxXLp5IHA.2240@TK2MSFTNGP02.phx.gbl...
>>>- The Edge Transport role is designed to be a mail gateway residing in
>>>perimeter networks (DMZs). They transfer inbound/outbound SMTP mail to
>>>external mail hosts.
>>> - Client access (accept Outlook/MAPI) is provided by Client Access
>>> Server (CAS) role. CAS is not supported in the perimeter - (that is,
>>> separated by a firewall from Mailbox servers). It needs to reside on the
>>> internal network.
>>> - You would need to allow inbound HTTPS for OWA, Outlook Anywhere,
>>> Exchange ActiveSync (and if required - inbound IMAP4/POP3 for remote
>>> users using these protocols).
>>> - Many organizations use SSL vpns/appliances/firewalls, ISA Server 2006,
>>> etc.
>>> --
>>> Bharat Suneja
>>> Microsoft Corporation
>>> blog: exchangepedia.com/blog
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights. Please do not send email directly to this alias. This alias is
>>> for
>>> newsgroup purposes only.
>>> ----------------------------
>>>
>>>
>>>
>>>
>>> "infinitiguy" <derek@iona.com> wrote in message
>>> news:C540D167-0486-4F9B-BD1C-EC845C935509@microsoft.com...
>>>> Normally we have another guy doing exchange, so my experience with
>>>> setup of an exchange environment is very little.
>>>>
>>>> We have an exchange 2003 and 2007 server(I'm on the exch 2007) as it's
>>>> our test environment. Both sit behind a checkpoint firewall. We have
>>>> OWA running on both servers, and access is restricted through our Cisco
>>>> 3000 WebVPN. We wont punch holes in the firewall to this particular
>>>> exchange server because it sits outside of our DMZ.
>>>>
>>>> I believe the "proper" way to set this up would be to have your exch
>>>> server in the internal network, and have a separate OWA server in the
>>>> DMZ with holes punched into the firewall for access to it. I'd then
>>>> suspect you'd use this same OWA server for mobile device
>>>> connectivitiy(iPhone etc...). I'm going to attempt to deploy an
>>>> exchange 2007 server with the edge role and see if that gives me what I
>>>> need, but I have to admit I'm a fair bit confused as to the direction I
>>>> should be heading.
>>>>
>>>> Any help/advice would be most appreciated :)
>>>>
>>>
>>
>