CAS 2010 on the mailbox server role?

Status
Not open for further replies.
S

scott_k2003

I am curious the security risk of publishing owa through isa2006 or tmg that resides on the same server as the hub transport and mailbox server role. Initially we were set to go with 4 servers. 2 ht/cas and 2 mailbox servers. we have been throwing the idea around of installing just two physical servers combining ht/cas/mbx. We would be load balancing cas requests through a barracuda.
I have some concerns about making owa publicly accessible from the same server hosting the mailbox and ht, specifically the mailbox role though. Is this warranted? Is the service itself secured enough to the point where if the bare minimum ports are allowed through isa that the server itself still remains secure enough for this to be an option.
Interested in your thoughts?
 
M

mitch roberson



Scott

Exchange 2010 was designed for this to be an option and security for this has been highly evaluated. and the risk is considered minimal. Matter of fact we are seeing more and more company's move back to just put it all on one box. Then it becomes easier to scale up and manage the environment as a whole.

the one point to this is that TMG or UAG is the recommended method for publishing OWA, OA, ECP, AS. The reason for this is some of the security features TMG and UAG can accomplish. if setup correctly then it is only allowing the URLS that are supposed to get to exchange. and only allowing access to the directories that are needed. if you set up the pre-authentication on TMG or UAG then you have an added layer of protection before it even makes it to the CAS server. So they HAVE to be authenticated connections. at the same time TMG and UAG can inspect the SSL traffic if setup appropriatly so it can help prevent many attacks from even making it to the CAS.

If you were simply passing 443 through to Exchange CAS then i would have more concerns and so should others.

Just my thoughts

Mitch Roberson |MCITP:Enterprise Server Admin, Messaging 2007, 2010 |MCTS:OCS with Voice Achievement |MCT |MCSE 2000\2003 |MCSE Messaging 2000\2003
 
C

Casper Pieterse



Hi Scott,

If your TMG is setup correctly, you have nothing to worry about. I completely agree with Mitch. Remember that when using a TMG / ISA, the actual traffic from the internet never reaches the Exchange server itself. It is a new connection setup from the TMG server. As such, the TMG will only pass known commands to the OWA and will protect it from possible exploits etc. (to a certain extend at least)

I am curious though, as this is not the first time I have seen this question posted. Why are people more willing to expose their CAS server to risk than the MBX server as the CAS has full access to the MBX server in anycase?

Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007
 
S

scott_k22792

Thanks for the info guys. Casper as for your question, that is why I was asking. Because the CAS has full access to the mailbox server and if it were sitting locally along with the mailbox role is my concern. I was under the impression that the cas server, at least when remote from the mailbox role communicates over a secure channel passing only the minimum secured data required traffic to and from the cas to the mbx server. If it was remote is the service still seperated to the same extent in the underlying communication paths.
So I guess the consensus is, if utilizing threat management gateway that the traffic is secured to a point where there should be little concern vs having the server standalone?!
That will simply our case here if we decide to pursue this route.
 
C

Casper Pieterse

Correct. don't think you have to much to worry about.Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007
 
Status
Not open for further replies.
Top