Exchange 2010 and Mail Access outside of Organization

Not open for further replies.


My understanding is that with Exchange 2010 - the whole OWA model is gone, meaning that in the DMZ the only thing that gets loaded out there is the Edge Transport Role.

My question is this: Supposed I want to be able to manage my mail from home or anywhere from outside of the organization's firewall. In previous models it seemed that OWA was accessed on a perimiter server and just passed traffic back and forth. Where as now - I believe I read somewhere that I woudl just assign some name e.g. on the internal Exchange 2010 server - of which the firewall would have a hole thru it on 443 for some public IP directly to the Exchange 2010 Hub Transport / CAS server.

But it seems that I am missing something here ... to me a hole directly to the backbone from the internet is less secure... it would seem that I would want to connect and authenticate thru the edge server - who then handles mail / messages back and forth to me the client.

Would apprecaite some clarification on the best way to secure this kind of model.



aaarrrggghhhb [MCITP]


If by OWA model you mean the 2003 FrontEnd/Backend model, then yes this has changed a little bit. It is not recommended to put an Exchange server in a perimiter network. I dont think this was advised with 2003 either. AD is fundamental to Exchange and you would have to poke so many holes as to render your firewall pointless.

There are two types of traffic to consider, OWA traffic comes in via HTTPS and needs to ultimately land on a Client Access Server (role). If you wanted to protect this traffic and possibly inspect it in the DMZ (my customers do this for compliance most often) then i would suggest a reverse proxy server such as TMG (formerly ISA).

If you want to inspect SMTP mail traffic coming in from the internet (to a Hub Transport server) then you would use any number of Antispam/Antivirus gatways. From Microsoft you may look at a combination of any/all of these: Exchange Edge Transport role (designed to go in a DMZ), Threat Management Gateway (which may also be used above), and Forefront Protection for Exchange.


Thanks for the info ... I guess the concern is that a box on the backbone could be comprimised - I suggested something like TMG and publishing the mail server... ( ) but what if the TMG server resides one leg on the backbone I am trying to protect and the other on firewall side where traffic would be coming from. Would I not be in the same boat?

How exactly does this reverse proxy work?

As far as inspecting SMTP traffic I have a solution that would sit on the Hub Transport box - and grab say port 25 mail and forward to Hub listening on different port.



Jonas Andersson [MCITP]

If TMG isn't enough security, why allow it at all, use SSL VPN or normal VPN and let the users only access their mail from " inside" ?

Or publish it with TMG and also use 3rd factor authentication? Like RSA etc..

Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog:

aaarrrggghhhb [MCITP]


If i get you correctly you may have a configuration that looks like this:

Internet---Firewall1---(DMZ)---Firewall2---Internal Network(s)

Those firewalls could be a single firewall with a DMZ port going to a switch as well. Also there could be multiple separate " Internal" networks.

Are you asking, what if you plug one interface of TMG into the DMZ and one interface into the internal network? Aren't you bypassing the internal firewall? The answer is yes, in that case your internal security (DMZ to Internal and vice versa) is only as good as the weaker of the two firewalls. If an attacker were able to get through either one, the other wouldn't necessarily be protecting you.

In the case of above one of several possible configurations is to put the TMG server(s) with a single leg in the DMZ network, it is your endpoint for OWA connections coming in. It can inspect them, filter them, then it will establish a connection through the inner firewall to the Exchange CAS server(s) inside. The outside firewall would only allow OWA traffic (IP and port) to the TMG, and the internal firewall would only allow it from TMG to the internal servers (specifically CAS and no others).


So it sounds as if there are two choices... 1 make road users VPN into the firewall and then tunnel to the mail server with either OWA or Rich Client?

Or 2 - and I am not sure if I have the model right as shown above... I believe what it may look like is internet --> firewall --> DMZ and internet --> firewall --> Forefront (external NIC) --> forefront firewall --> backbone (internal NIC) where the DMZ might be where a relay or edge server . in prior versions it seemed proper to have Exchange FE running in DMZ and then traffic woudl flow back thru the firewall and to the backbone. But I would gather that the FE solution was riskier as it required more holes thru firewall doign to various servers on the backbone - but was more secure from a public accessable server - in that if that hardware/server was comprimised - only it was comprimised (albeit the argument was that now you had more holes to try and get into the backbone or the network).

It sounds to me if I wanted to do this right and not require VPN access - I would need a second Forefront Server. Stick that server in a DMZ with just one NIC in use - and use this server strickly for MAIL access. My second Forefront server would stay put for all other internet traffic - where it is on the backbone - one leg for the traffic destined to the firewall and eventually the internet and one leg for my network traffic that wants to go out.

I welcome any and all thoughts. Thanks



You can use direct access, if users who will read mail form outside, use corporate notebooks.
Not open for further replies.
Thread starter Similar threads Forum Replies Date
J Setup mail for Exchange 2010 through Active Directory on Server 2008 R2 Standard Exchange Server Administration 3
J Contacts Notes field will not mail merge after migration to Exchange 2010 Exchange Server Administration 1
S External e-mail attachments always seen as inline attachments with Exchange 2010 Exchange Server Administration 2
G 'The Server does not support a SSL conncetion' Mail client with Exchange 2010 Exchange Server Administration 9
S Edge Transport 3rd party mail filter before Exchange 2010 Exchange Server Administration 5
S Internet Mail SMTP Connector Problem on Exchange 2010 after Migration Exchange Server Administration 2
V Exchange 2010 - problem sending mail from one server Exchange Server Administration 5
T Exchange 2010 - External mail issues Exchange Server Administration 12
D Exchange 2010 SP1 Policy to Delete mail in deleted items older than 30 days Exchange Server Administration 2
C Exchange 2010 Mail flow Local Delivery Exchange Server Administration 3
C An attachment is not visible when an Exchange Server 2010 user opens a signed mail message by using Exchange Server Administration 1
D Exchange 2003 to Exchange 2010 mail stuck in Exchange 2003 Local Delivery Queue Exchange Server Administration 10
S garbage mail recieved from Exchange 2010 HUB to Exchange 2003 user. Exchange Server Administration 2
S Recover contact/Mail Exchange 2010 Exchange Server Administration 5
H Exchange 2010 - Blank e-mail body in Outlook but typically viewable in OWA Exchange Server Administration 6
O Exchange 2010 - Mail SUBJECT Exchange Server Administration 3
J Outlook 2010/multiple exchange accounts/new mail notification on one only Using Outlook 8
A Setting up Web Mail under Exchange 2010 Exchange Server Administration 5
G Outlook 2003 displaying x400 instead of E-mail address when viewing Exchange 2010 GAL Exchange Server Administration 6
A E-mail receive delay in Exchange 2010 Exchange Server Administration 4
S Exchange 2010 - Mail Transport Exchange Server Administration 2
J Exchange 2003, 2010 Co-existence. Mail flow problems. Exchange Server Administration 3
T the configur of the mail box for the exchange server 2010 Exchange Server Administration 6
A Moving mail accounts data from icewarp into exchange 2010 Exchange Server Administration 6
M Exchange 2010 Sending to certain mail domain fails Exchange Server Administration 4
W Configuring Exchange 2010 Server to deliver mail to other Internal E-mail Servers Exchange Server Administration 8
L Since Exchange 2010 SP1 upgrade, Mail Submission service is restarting every 24 hours in the early m Exchange Server Administration 11
I Multiple e-mail accounts in Outlook 2010 using Exchange servers Using Outlook 1
T Mail Delivery Slow to Exchange 2010 Mailboxes (Co-existence with Exchange 2003) Exchange Server Administration 11
P Migrating Exchange 2007 to 2010 no mail going between servers or out from the Ex2010 servrer Exchange Server Administration 6
B Exchange 2003/2010 external mail routing issue Exchange Server Administration 3
A how to configure windows 2003 built in mail server (POP Server) coexistence with exchange server 2007/2010 Exchange Server Administration 7
N Cross Forest Mail routing from Exchange 2003 to Exchange 2010 Exchange Server Administration 3
V mail format change automatically html to plain text in exchange 2010 Exchange Server Administration 7
T Exchange 2010 Mac Mail users Can't send port 587 Using Outlook 3
S exchange 2010 e-mail user password expiration prompt Exchange Server Administration 8
J Exchange 2003 -> 2010 coexistence (One way mail) Exchange Server Administration 14
T Exchange 2010 SP1 mail universal security group changes? Exchange Server Administration 6
A Cannot delete mail in OWA only after upgrading Exchange Server 2010 to SP1 Exchange Server Administration 30
T Accessing Exchange Server 2010 using Mac Mail 4.3 Using Outlook 3
S Mail Flow to a single databse stops in Exchange 2010 without dismounting the database when log drive is full Exchange Server Administration 10
Diane Poremsky Organizational Forms Library in Exchange 2010 New Articles 0
V Recover exchange 2010 edb Exchange Server Administration 2
B Exchange 2010 / Outlook 20070 "client error in synchronization log" Exchange Server Administration 1
T Renaming an Resource in Exchange 2010 Exchange Server Administration 1
P Outlook 2010 MS Exchange Calendar to Android- ical or webdav? Using Outlook 1
Fozzie Bear Outlook 2010 or 2013 Dual Configuration Exchange + IMAP Exchange Server Administration 6
H In Exchange 2010, how to block an email containing an attachment that has foreign characters Exchange Server Administration 1
Digitally Hip Outlook 2010 (32) and Exchange 2010 (sp3) sender info not displaying in Outlook Using Outlook 1
A give User Read Only access to secondary mailbox in Exchange 2010 via AD Exchange Server Administration 1
Similar threads