Sunday, July 29, 2007

Exchange 2007 Client Access and Hub Transport servers in the DMZ

I am seeing some chatter on the newsgroups and web forums as to what ports to open up on a firewall to allow the Client Access and Hub Transport server roles to be placed in the perimeter / DMZ network. Do not do this. Microsoft neither recommends this configuration nor is it supported. You have to open up too many ports on the firewall. If you need to terminate external HTTP/HTTPS connections from the Internet in your DMZ, put a reverse proxy there. Squid is a good freebie that runs on Linux, ISA Server, and BlueCoat are also good solutions.

Here is the official word from Microsoft:
"You can install the Client Access server role on an Exchange 2007 computer that is running any other server roles except for the Edge Transport server role. You cannot install the Client Access server role on a computer that is installed in a cluster. Installation of a Client Access server in a perimeter network is not supported."

Labels:

2 Comments:

At 6:13 AM, Blogger cround said...

Jim,
We have our Client Access and Hub Transport running in the DMZ. All communications between LAN and the CA/Hub are any-to-any. I now know by fact it works, but can I ask you what do you think about performance on an environment like this?
Thanks for any comments.
Regards,

 
At 10:46 AM, Blogger Unknown said...

Troubleshooting my initial setup in my testlab of a server running the Hub Transport and Client Access roles. My mailbox servers are running CCR. I'm unable to access administrator email account using Outlook 2007 or OWA. I think it's because my firewall is blocking the ports. What ports should be open to allow a client on the LAN to connect to the CAS?

Thanks.

 

Post a Comment

<< Home