How should I setup Webmail?

[cfernandez]

We're in the process of migrating Exchange 2003 to Exchange 2007, we currently have webmail on a front-end server on the DMZ with ssl. Will I need a second 64 bit server to act as the Client Access Server on the DMZ? I know you can use only one server with 2007 but I don't see how it's safe to put the Exchange server on the DMZ? Any help or suggestions would be appreciated.

 

[Zelandakh]

Second CAS? No.
One server with 2007? Not true.

Don't put it in the DMZ, put it on the LAN and open up port 443. If you are really paranoid, put an ISA in the mix and publish that way.

 

[cfernandez]

Thanks Zelandakh for the response, would a CISCO ASA work?

 

[58sniper]

Putting any Exchange 2007 role other than Edge Transport in a perimeter network isn't recommended.

As Zelandakh mentioned, publishing it with a reverse proxy like ISA would be the best way to do it. Cisco ASA would be ok, but a reverse proxy would be preferred.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[Zelandakh]

If your server is built correctly and you have a firewall in front of it that is only publishing 443, I don't see what the benefit would be of putting it in a DMZ but can see downsides.

 

[58sniper]

No domain joined machines in the DMZ!

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[Zelandakh]

Well you *could* join a machine to the domain by opening a bunch of ports - I know one company that did just that!