Hello Everyone,

I have been reading lots of info on the internet and am studying your Exchange 2007 CD. I am still a little confused about how to setup OWA securely in a Windows 2008 environment. We will be able to setup a new network environment running Windows 2008 and Exchange 2007 and will be using a 3rd party firewall. In order to setup OWA securely, do I still require ISA? Should I setup OWA on a server by itself? Is that a secure solution? I am very concerned about allowing external access directly into our internal network even though it is through port 443. Would you kindly give me some recommendations?

Many thanks for all your help in advance. :)

Rita

Good question. It comes up a lot.

Microsoft's basic stance on this is that installing the CAS role in the internal network is "secure enough" for most environments. They believe that putting the CAS in the DMZ is less secure, since it opens far to many ports from an insecure zone (the DMZ) into the internal network. CAS IIS security has been designed with a default configuration that should protect the server adequately in a 443-only config.

If your company has policies that will not allow this, then the recommended solution is installing the CAS role in the internal network (NEVER the DMZ) and installing an ISA 2006 server in the DMZ to proxy connections back to the CAS server on the internal network.

In my experience, three out of four small/midsized businesses opt to leave ISA out of their architecture and instead pass 443 directly to their CAS server. In larger environments (more than 700 users or so) I'm seeing more ISA.

Thank you so much for sharing your valuable opinions and the detailed information on setting up the OWA securely with me. much appreciated. :)

Rita