|
|
|
date: Tue, 15 Jul 2008 11:25:37 -0400,
group: microsoft.public.exchange.setup
back
Re: new exchange admin over his head
- The Edge Transport role is designed to be a mail gateway residing in
perimeter networks (DMZs). They transfer inbound/outbound SMTP mail to
external mail hosts.
- Client access (accept Outlook/MAPI) is provided by Client Access Server
(CAS) role. CAS is not supported in the perimeter - (that is, separated by a
firewall from Mailbox servers). It needs to reside on the internal network.
- You would need to allow inbound HTTPS for OWA, Outlook Anywhere, Exchange
ActiveSync (and if required - inbound IMAP4/POP3 for remote users using
these protocols).
- Many organizations use SSL vpns/appliances/firewalls, ISA Server 2006,
etc.
--
Bharat Suneja
Microsoft Corporation
blog: exchangepedia.com/blog
This posting is provided "AS IS" with no warranties, and confers no
rights. Please do not send email directly to this alias. This alias is for
newsgroup purposes only.
----------------------------
"infinitiguy" wrote in message
news:C540D167-0486-4F9B-BD1C-EC845C935509@microsoft.com...
> Normally we have another guy doing exchange, so my experience with setup
> of an exchange environment is very little.
>
> We have an exchange 2003 and 2007 server(I'm on the exch 2007) as it's our
> test environment. Both sit behind a checkpoint firewall. We have OWA
> running on both servers, and access is restricted through our Cisco 3000
> WebVPN. We wont punch holes in the firewall to this particular exchange
> server because it sits outside of our DMZ.
>
> I believe the "proper" way to set this up would be to have your exch
> server in the internal network, and have a separate OWA server in the DMZ
> with holes punched into the firewall for access to it. I'd then suspect
> you'd use this same OWA server for mobile device connectivitiy(iPhone
> etc...). I'm going to attempt to deploy an exchange 2007 server with the
> edge role and see if that gives me what I need, but I have to admit I'm a
> fair bit confused as to the direction I should be heading.
>
> Any help/advice would be most appreciated :)
>
date: Tue, 15 Jul 2008 08:52:49 -0700
author: Bharat Suneja [MSFT]
Re: new exchange admin over his head
dont think my reply post went through..
-------------------
Hrmm, I'm confused. I thought activesync worked through OWA. I guess I'm
wrong there. So, in an organization that has an owa server publically
available over the net. Https://mail.mycompany.com that server that gets
hit is running OWA. Am I correct in assuming that same server isn't the
mail server that serves the company. Instead its a front end server,
correct? That front end server could sit in a DMZ and then forward traffic
to a back end server sitting behind the firewall, not publically available.
I think maybe I don't understand exactly how activesync works because I've
never tried it before. I poked around exch 2k7 and I see that I can enable
my mailbox for activesync, and within the server config there is an
activesync URL.
I'm uncomfortable passing ssl traffic to my exchange host and I know my vpn
concentrator does not support SSL in terms of using a client to access over
ssl(only web based ssl..)
When you say using ISA Server 2006.. what would that give me to allow me to
accomplish a secured, but publicly accessible exchange environment?
-------------------------------
"Bharat Suneja [MSFT]" wrote in message
news:uVaxXLp5IHA.2240@TK2MSFTNGP02.phx.gbl...
>- The Edge Transport role is designed to be a mail gateway residing in
>perimeter networks (DMZs). They transfer inbound/outbound SMTP mail to
>external mail hosts.
> - Client access (accept Outlook/MAPI) is provided by Client Access Server
> (CAS) role. CAS is not supported in the perimeter - (that is, separated by
> a firewall from Mailbox servers). It needs to reside on the internal
> network.
> - You would need to allow inbound HTTPS for OWA, Outlook Anywhere,
> Exchange ActiveSync (and if required - inbound IMAP4/POP3 for remote users
> using these protocols).
> - Many organizations use SSL vpns/appliances/firewalls, ISA Server 2006,
> etc.
> --
> Bharat Suneja
> Microsoft Corporation
> blog: exchangepedia.com/blog
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights. Please do not send email directly to this alias. This alias is for
> newsgroup purposes only.
> ----------------------------
>
>
>
>
> "infinitiguy" wrote in message
> news:C540D167-0486-4F9B-BD1C-EC845C935509@microsoft.com...
>> Normally we have another guy doing exchange, so my experience with setup
>> of an exchange environment is very little.
>>
>> We have an exchange 2003 and 2007 server(I'm on the exch 2007) as it's
>> our test environment. Both sit behind a checkpoint firewall. We have
>> OWA running on both servers, and access is restricted through our Cisco
>> 3000 WebVPN. We wont punch holes in the firewall to this particular
>> exchange server because it sits outside of our DMZ.
>>
>> I believe the "proper" way to set this up would be to have your exch
>> server in the internal network, and have a separate OWA server in the DMZ
>> with holes punched into the firewall for access to it. I'd then suspect
>> you'd use this same OWA server for mobile device connectivitiy(iPhone
>> etc...). I'm going to attempt to deploy an exchange 2007 server with the
>> edge role and see if that gives me what I need, but I have to admit I'm a
>> fair bit confused as to the direction I should be heading.
>>
>> Any help/advice would be most appreciated :)
>>
>
date: Tue, 15 Jul 2008 14:56:03 -0400
author: infinitiguy
Re: new exchange admin over his head
Hi,
Inline.
Leif
"infinitiguy" skrev i meddelelsen
news:4CBFE9BB-763B-47B7-83C3-A8D46ED213D9@microsoft.com...
> dont think my reply post went through..
> -------------------
> Hrmm, I'm confused. I thought activesync worked through OWA. I guess I'm
> wrong there. So, in an organization that has an owa server publically
> available over the net. Https://mail.mycompany.com that server that gets
> hit is running OWA. Am I correct in assuming that same server isn't the
> mail server that serves the company. Instead its a front end server,
> correct? That front end server could sit in a DMZ and then forward
> traffic
> to a back end server sitting behind the firewall, not publically
> available.
Activesync and OWA are 2 different things (different websites on the CAS
server). When external users connect to OWA they either connect to an ISA
server in a DMZ where OWA is published or they connect directly to a CAS
server on the intranet (CAS servers are not supported in a DMZ).
>
> I think maybe I don't understand exactly how activesync works because I've
> never tried it before. I poked around exch 2k7 and I see that I can
> enable
> my mailbox for activesync, and within the server config there is an
> activesync URL.
>
> I'm uncomfortable passing ssl traffic to my exchange host and I know my
> vpn
> concentrator does not support SSL in terms of using a client to access
> over
> ssl(only web based ssl..)
>
> When you say using ISA Server 2006.. what would that give me to allow me
> to
> accomplish a secured, but publicly accessible exchange environment?
ISA server "knows" Exchange server traffic and blocks hostile traffic.
> -------------------------------
>
> "Bharat Suneja [MSFT]" wrote in message
> news:uVaxXLp5IHA.2240@TK2MSFTNGP02.phx.gbl...
>>- The Edge Transport role is designed to be a mail gateway residing in
>>perimeter networks (DMZs). They transfer inbound/outbound SMTP mail to
>>external mail hosts.
>> - Client access (accept Outlook/MAPI) is provided by Client Access Server
>> (CAS) role. CAS is not supported in the perimeter - (that is, separated
>> by a firewall from Mailbox servers). It needs to reside on the internal
>> network.
>> - You would need to allow inbound HTTPS for OWA, Outlook Anywhere,
>> Exchange ActiveSync (and if required - inbound IMAP4/POP3 for remote
>> users using these protocols).
>> - Many organizations use SSL vpns/appliances/firewalls, ISA Server 2006,
>> etc.
>> --
>> Bharat Suneja
>> Microsoft Corporation
>> blog: exchangepedia.com/blog
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights. Please do not send email directly to this alias. This alias is
>> for
>> newsgroup purposes only.
>> ----------------------------
>>
>>
>>
>>
>> "infinitiguy" wrote in message
>> news:C540D167-0486-4F9B-BD1C-EC845C935509@microsoft.com...
>>> Normally we have another guy doing exchange, so my experience with setup
>>> of an exchange environment is very little.
>>>
>>> We have an exchange 2003 and 2007 server(I'm on the exch 2007) as it's
>>> our test environment. Both sit behind a checkpoint firewall. We have
>>> OWA running on both servers, and access is restricted through our Cisco
>>> 3000 WebVPN. We wont punch holes in the firewall to this particular
>>> exchange server because it sits outside of our DMZ.
>>>
>>> I believe the "proper" way to set this up would be to have your exch
>>> server in the internal network, and have a separate OWA server in the
>>> DMZ with holes punched into the firewall for access to it. I'd then
>>> suspect you'd use this same OWA server for mobile device
>>> connectivitiy(iPhone etc...). I'm going to attempt to deploy an exchange
>>> 2007 server with the edge role and see if that gives me what I need, but
>>> I have to admit I'm a fair bit confused as to the direction I should be
>>> heading.
>>>
>>> Any help/advice would be most appreciated :)
>>>
>>
>
date: Wed, 16 Jul 2008 20:25:01 +0200
author: Leif Pedersen [ MVP]
Re: new exchange admin over his head
Responses inline.
--
Bharat Suneja
Microsoft Corporation
blog: exchangepedia.com/blog
This posting is provided "AS IS" with no warranties, and confers no
rights. Please do not send email directly to this alias. This alias is for
newsgroup purposes only.
----------------------------
"infinitiguy" wrote in message
news:4CBFE9BB-763B-47B7-83C3-A8D46ED213D9@microsoft.com...
> dont think my reply post went through..
> -------------------
> Hrmm, I'm confused. I thought activesync worked through OWA.
No, it doesn't work through OWA - but like OWA, it uses HTTP(S), and
therefore opening the HTTPS port (tcp 443) takes care of both OWA, EAS
(Exchange ActiveSync), in addition to Outlook Anywhere (aka "RPC over
HTTP(S)).
> I guess I'm
> wrong there. So, in an organization that has an owa server publically
> available over the net. Https://mail.mycompany.com that server that gets
> hit is running OWA. Am I correct in assuming that same server isn't the
> mail server that serves the company.
- Depends - if the Mailbox and CAS (Client Access Server) roles reside on
the same server, the server will/can host mailboxes.
> Instead its a front end server,
> correct? That front end server could sit in a DMZ and then forward
> traffic
> to a back end server sitting behind the firewall, not publically
> available.
The Exchange 2007 equivalent of Exchange 2003/2000 Front-End servers is the
Client Access Server role. Whereas Exchange 2003 Front-Ends were supported
in perimeter networks (DMZs), Exchange 2007 CAS servers are *not supported*
in such a topology (that is, separated from mailbox servers by a
firewall... ). They need to reside on the "internal" network.
>
> I think maybe I don't understand exactly how activesync works because I've
> never tried it before. I poked around exch 2k7 and I see that I can
> enable
> my mailbox for activesync, and within the server config there is an
> activesync URL.
Exchange ActiveSync (EAS) uses HTTP(S). HTTP support is provided by IIS. You
will see a virtual directory in your default web site for EAS. This also
means opening a single port allows access to OWA, EAS, and Outlook Anywhere
(aka "RPC over HTTP(S)").
>
> I'm uncomfortable passing ssl traffic to my exchange host and I know my
> vpn
> concentrator does not support SSL in terms of using a client to access
> over
> ssl(only web based ssl..)
>
> When you say using ISA Server 2006.. what would that give me to allow me
> to
> accomplish a secured, but publicly accessible exchange environment?
ISA inspects application layer traffic, is application-aware, and makes
securely publishing Exchange services like OWA, EAS, Outlook Anywhere, etc.
an easy task.
> -------------------------------
>
> "Bharat Suneja [MSFT]" wrote in message
> news:uVaxXLp5IHA.2240@TK2MSFTNGP02.phx.gbl...
>>- The Edge Transport role is designed to be a mail gateway residing in
>>perimeter networks (DMZs). They transfer inbound/outbound SMTP mail to
>>external mail hosts.
>> - Client access (accept Outlook/MAPI) is provided by Client Access Server
>> (CAS) role. CAS is not supported in the perimeter - (that is, separated
>> by a firewall from Mailbox servers). It needs to reside on the internal
>> network.
>> - You would need to allow inbound HTTPS for OWA, Outlook Anywhere,
>> Exchange ActiveSync (and if required - inbound IMAP4/POP3 for remote
>> users using these protocols).
>> - Many organizations use SSL vpns/appliances/firewalls, ISA Server 2006,
>> etc.
>> --
>> Bharat Suneja
>> Microsoft Corporation
>> blog: exchangepedia.com/blog
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights. Please do not send email directly to this alias. This alias is
>> for
>> newsgroup purposes only.
>> ----------------------------
>>
>>
>>
>>
>> "infinitiguy" wrote in message
>> news:C540D167-0486-4F9B-BD1C-EC845C935509@microsoft.com...
>>> Normally we have another guy doing exchange, so my experience with setup
>>> of an exchange environment is very little.
>>>
>>> We have an exchange 2003 and 2007 server(I'm on the exch 2007) as it's
>>> our test environment. Both sit behind a checkpoint firewall. We have
>>> OWA running on both servers, and access is restricted through our Cisco
>>> 3000 WebVPN. We wont punch holes in the firewall to this particular
>>> exchange server because it sits outside of our DMZ.
>>>
>>> I believe the "proper" way to set this up would be to have your exch
>>> server in the internal network, and have a separate OWA server in the
>>> DMZ with holes punched into the firewall for access to it. I'd then
>>> suspect you'd use this same OWA server for mobile device
>>> connectivitiy(iPhone etc...). I'm going to attempt to deploy an exchange
>>> 2007 server with the edge role and see if that gives me what I need, but
>>> I have to admit I'm a fair bit confused as to the direction I should be
>>> heading.
>>>
>>> Any help/advice would be most appreciated :)
>>>
>>
>
date: Wed, 16 Jul 2008 13:05:41 -0700
author: Bharat Suneja [MSFT]
Re: new exchange admin over his head
all very good info..
one follow-up question. It looks like to be able to get this to work
properly then with my current infrastructure I'm going to need to deploy an
ISA server in my DMZ. If I do so, are there any precautions I need to look
out for in regards to the rest of my DMZ environment? What kind of holes
will I have to put in my checkpoint firewall for the ISA server to work
properly? If my only goal is to get activesync working does the ISA server
then only need to communicate 443 in and out of the network?
"Bharat Suneja [MSFT]" wrote in message
news:eCJ7S935IHA.2240@TK2MSFTNGP02.phx.gbl...
>
> Responses inline.
> --
> Bharat Suneja
> Microsoft Corporation
> blog: exchangepedia.com/blog
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights. Please do not send email directly to this alias. This alias is for
> newsgroup purposes only.
> ----------------------------
>
>
>
>
> "infinitiguy" wrote in message
> news:4CBFE9BB-763B-47B7-83C3-A8D46ED213D9@microsoft.com...
>> dont think my reply post went through..
>> -------------------
>> Hrmm, I'm confused. I thought activesync worked through OWA.
>
> No, it doesn't work through OWA - but like OWA, it uses HTTP(S), and
> therefore opening the HTTPS port (tcp 443) takes care of both OWA, EAS
> (Exchange ActiveSync), in addition to Outlook Anywhere (aka "RPC over
> HTTP(S)).
>
>> I guess I'm
>> wrong there. So, in an organization that has an owa server publically
>> available over the net. Https://mail.mycompany.com that server that
>> gets
>> hit is running OWA. Am I correct in assuming that same server isn't the
>> mail server that serves the company.
>
> - Depends - if the Mailbox and CAS (Client Access Server) roles reside on
> the same server, the server will/can host mailboxes.
>
>
>> Instead its a front end server,
>> correct? That front end server could sit in a DMZ and then forward
>> traffic
>> to a back end server sitting behind the firewall, not publically
>> available.
>
> The Exchange 2007 equivalent of Exchange 2003/2000 Front-End servers is
> the Client Access Server role. Whereas Exchange 2003 Front-Ends were
> supported in perimeter networks (DMZs), Exchange 2007 CAS servers are *not
> supported* in such a topology (that is, separated from mailbox servers by
> a firewall... ). They need to reside on the "internal" network.
>
>>
>> I think maybe I don't understand exactly how activesync works because
>> I've
>> never tried it before. I poked around exch 2k7 and I see that I can
>> enable
>> my mailbox for activesync, and within the server config there is an
>> activesync URL.
>
> Exchange ActiveSync (EAS) uses HTTP(S). HTTP support is provided by IIS.
> You will see a virtual directory in your default web site for EAS. This
> also means opening a single port allows access to OWA, EAS, and Outlook
> Anywhere (aka "RPC over HTTP(S)").
>
>>
>> I'm uncomfortable passing ssl traffic to my exchange host and I know my
>> vpn
>> concentrator does not support SSL in terms of using a client to access
>> over
>> ssl(only web based ssl..)
>>
>> When you say using ISA Server 2006.. what would that give me to allow me
>> to
>> accomplish a secured, but publicly accessible exchange environment?
>
> ISA inspects application layer traffic, is application-aware, and makes
> securely publishing Exchange services like OWA, EAS, Outlook Anywhere,
> etc. an easy task.
>
>> -------------------------------
>>
>> "Bharat Suneja [MSFT]" wrote in message
>> news:uVaxXLp5IHA.2240@TK2MSFTNGP02.phx.gbl...
>>>- The Edge Transport role is designed to be a mail gateway residing in
>>>perimeter networks (DMZs). They transfer inbound/outbound SMTP mail to
>>>external mail hosts.
>>> - Client access (accept Outlook/MAPI) is provided by Client Access
>>> Server (CAS) role. CAS is not supported in the perimeter - (that is,
>>> separated by a firewall from Mailbox servers). It needs to reside on the
>>> internal network.
>>> - You would need to allow inbound HTTPS for OWA, Outlook Anywhere,
>>> Exchange ActiveSync (and if required - inbound IMAP4/POP3 for remote
>>> users using these protocols).
>>> - Many organizations use SSL vpns/appliances/firewalls, ISA Server 2006,
>>> etc.
>>> --
>>> Bharat Suneja
>>> Microsoft Corporation
>>> blog: exchangepedia.com/blog
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights. Please do not send email directly to this alias. This alias is
>>> for
>>> newsgroup purposes only.
>>> ----------------------------
>>>
>>>
>>>
>>>
>>> "infinitiguy" wrote in message
>>> news:C540D167-0486-4F9B-BD1C-EC845C935509@microsoft.com...
>>>> Normally we have another guy doing exchange, so my experience with
>>>> setup of an exchange environment is very little.
>>>>
>>>> We have an exchange 2003 and 2007 server(I'm on the exch 2007) as it's
>>>> our test environment. Both sit behind a checkpoint firewall. We have
>>>> OWA running on both servers, and access is restricted through our Cisco
>>>> 3000 WebVPN. We wont punch holes in the firewall to this particular
>>>> exchange server because it sits outside of our DMZ.
>>>>
>>>> I believe the "proper" way to set this up would be to have your exch
>>>> server in the internal network, and have a separate OWA server in the
>>>> DMZ with holes punched into the firewall for access to it. I'd then
>>>> suspect you'd use this same OWA server for mobile device
>>>> connectivitiy(iPhone etc...). I'm going to attempt to deploy an
>>>> exchange 2007 server with the edge role and see if that gives me what I
>>>> need, but I have to admit I'm a fair bit confused as to the direction I
>>>> should be heading.
>>>>
>>>> Any help/advice would be most appreciated :)
>>>>
>>>
>>
>
date: Wed, 16 Jul 2008 16:47:34 -0400
author: infinitiguy
|
|
