Hi there

I have just ordered the training package so the answer might be there, but I need an answer asap :)

As I understand the "old" backend/frontend way has gone with Ex2008. My question is, what to do then? I am about to install a new setup and I am very confused. I have a DMZ and want my OWA there.

If I do a google search, people write that you have to publish the OWA with a ISA. I dont want an ISA :)

If thats true, why can I choose not to install the CAS role on my main server, and why can I choose ONLY to install the CAS role. For me it seems that I can still make a BE/FE system. Otherwise it seems strange that I can choose to install CAS alone.

Any inputs?

EDIT. Sorry post in wrong forum. Please move it :-)

Br
Steen

Microsoft decided that the ports needed for a CAS-role server to communicate with a Mailbox-role server were too numerous for it to be used as an FE. In fact, they regretted the old FE/BE architecture for CAS-related services because it turned firewalls into swiss cheese. Since the CAS needs full access to the AD and to mailboxes, there's not a lot of security left between the CAS and internal network anyway if CAS gets compromised.

After careful evaluation, they decided it would be much more secure to ONLY allow port 443 into the internal network than to have to allow a whole slew of ports into the trusted network from the DMZ. So they went ahead and built their role architecture around that paradigm. For those that still don't want to allow 443 in directly to CAS, the ISA reverse-proxy is an option. But setting up your CAS in the DMZ is not supported or advised, and is also likely to result in some communications issues between your Exchange role servers.

All the Exchange 2003 to Exchange 2007 migrations I've done have done away with their FE/BE arrangements and either 1) used ISA or, more commonly, 2) allowed direct (well, through the firewall, at least) 443 access to the internal server.

Dave Shackelford
MCSE, MVP-Exchange

Oh, and to answer your original question specifically: Exchange 2007 is designed for scalability, and one goal was to be able to have multiple load-balanced single-role CAS servers for large organizations. That's why each role can be installed by itself, so that load can be split off and re-proportioned in enterprise environments. In no way is that a wink/nod toward going the "CAS in the DMZ" route.

Thank you very much for you answer.

I guess that I then must surrender and go for an ISA sollution. :)

Regards,
Steen