We tried to place CAS in DMZ like VLAN today and of course we failed to make it work, after several hours work. Everyone will talks about Swiss cheese, when it comes to placing Exchange into DMZ, which makes me fell hungry all the time, since I love cheese and any kind. And makes me laugh on the idea of picturing little million wholes on the DMZ firewall going back into the protected network.
So the bottom line is CAS or OWA severs will not be placed on DMZ or DMZ like VLAN, because of Swiss cheese, keep reading if you are not understanding what a Swiss Cheese in DMZ scenarios
- With the CAS on the inside with no further firewalling, clearly this would place the rest of your networks wide open for attack.
- CAS servers are so well connected to everything on the intranet that you'd have to open your internal Perimeter network firewall up so it would look like Swiss cheese.
- You'll be weakening your internal perimeter network firewall, since you would need to open up a bunch of ports.
- From past experience we know that many Exchange customers who try to put Exchange 2003 FE servers (which were supported running in the perimeter network) in the perimeter network run into all kinds of configuration and functionality problems related to firewall configuration. This translates to lots of deployment complexity.
- The recommendation is to have the Client Access Server as the first Exchange 2007 Server role installed in each Active Directory site. If you were to just have a Mailbox Server role in any given site without a Client Access Server no users would be able to connect to their mailboxes via Outlook Web Access, ActiveSync, Exchange Web Services, POP3 and IMAP4.
How people in the world deploy CAS?
Planning for Client Access Servers
Overview of Exchange Server 2007 CAS Proxying
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +