One thing that you must keep in mind with Exchange 2007 is that Client Access Servers (OWA, ActiveSync) do not work in a classic DMZ architecture. Not only will it not work, it is also not supported by Microsoft. Why this is the case I have no idea since it really makes no logical sense.
In the end, you will want to NAT to an internal address on your network to a hardened CAS server. Allowing only HTTPS will help but ultimately like any machine exposed to the Internet you must make sure you are keeping up with patches.
Clustering of your CAS servers can be accomplished with Network Load Balancing which is available on the standard edition of Windows 2008 R2. Using this set up, you can NAT to your NLB cluster address so that a single node will not cause your OWA/ActiveSync environment to fail. I have successfully done this at a few places and it works pretty slick.
0 comments:
Post a Comment