Exchange 2007 / OWA / RPC over HTTP

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Ian Davies - 27 Nov 2006 19:41 GMT

I have a couple of questions that so far I havn't been able to find a clear
enough answer for me in the documentation:

1) OWA - from what it looks like, I can no longer have an OWA server in my
DMZ. Is this really true? I don't like having to give a direct connection
from the outside to my inside network.

2) RPC over HTTP. It also appears that there are no longer Front-End
servers. The Edge transport role looks like it only handles
relay/anti-virus/spam issues. So for Outlook Anyware I'm assuming I have the
same issue as OWA. I need to have a direct connection from the outside to
inside?

Reply to this Message

Scott Schnoll [MSFT] - 27 Nov 2006 19:58 GMT

Answers inline...

Signature

Scott Schnoll
This posting is provided "AS IS" with no warranties, and confers no
rights. Please do not send email directly to this alias. This alias is for
newsgroup
purposes only.

>I have a couple of questions that so far I havn't been able to find a clear
> enough answer for me in the documentation:
[quoted text clipped - 4 lines]
> connection
> from the outside to my inside network.

[SS] It's true. The Client Access Server (CAS), which among other things
includes the OWA feature, is not supported in a perimeter network (aka a
DMZ). Instead you'll deploy one or more CASs inside your organization and
put a robust firewall such as ISA 2006 in front of it.

> 2) RPC over HTTP. It also appears that there are no longer Front-End
> servers. The Edge transport role looks like it only handles
> relay/anti-virus/spam issues. So for Outlook Anyware I'm assuming I have
> the
> same issue as OWA. I need to have a direct connection from the outside to
> inside?

[SS] You use the same CASs to serve RPC over HTTP (now called Outlook
Anywhere). The CAS sits in the internal network and is published via ISA.
Very secure and reliable!

This means in both cases, there is no "direct" connection. Connections are
made by clients to the ISA Server, and not directly to the CAS.

Reply to this Message

Bharat Suneja [MVP] - 27 Nov 2006 20:05 GMT

Responses inline:

Signature

Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------

It is a common belief that locating servers that require access from the
internet need to be located in a perimeter network (DMZ) - this may be true
for many application servers, but as far as Exchange Front-Ends are
concerned, would you rather open a whole bunch of ports from the FE to your
GCs/DCs, BEs, DNS, et al in the internal network? Or only open https to the
FE residing on internal network?

Additionally, one can think of other possibilities for application-layer
security/content-inspection mechanisms like using ISA Server or appliances
like Whale (now acquired by Microsoft), combined with 2-factor
authentication like RSA SecurID (if already deployed or considering).

The Client Access Server role in Exchange Server 2007 maps to the Front-End
server role in Exchange Server 2003/2000, so there is in fact a "front-end"
server in Exchange Server 2007. Outlook Anywhere users connect to an
Exchange Server 2007 server that's running in a Client Access Server role -
you will need to provide HTTPS connectivity to this server for RPC over
HTTPS/Outlook Anywhere. Ditto for OWA. Incidentally, HTTPS is enabled
out-of-the-box in Exchange Server 2007 using a self-signed certificate. You
may want to replace this cert with a cert issued by a trusted CA.

Reply to this Message