Announcement

Collapse
No announcement yet.

Exchange 2007, OWA and RRAS

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2007, OWA and RRAS

    Hi all!

    We have Exchange 2007 installed on a Windows 2008 AD domain. The Exchange topology is Edge on one stand-alone server in the DMZ and all the other roles on an member server on the AD LAN. The Edge server is probably unecessary but for now, it's there... Previously, users could access OWA directly on the Exchange 2003 server that was in the DMZ (I know, bad idea!). Now,since we have upgraded and since Edge doesn't handle OWA, the users are connecting with VPN first, then accessing OWA directly on the Exchange CAS. This also poses a problem when the users are not using their own computer to check email... We could most likely buy ISA 2006 licenses and that would solve the problem. I was wondering though if there was a way to not spend that money and use Windows 2008 NPS (Network Policy Server, ex-Routing and Remote Access) to route the http or https requests to OWA. We have NAT in place between the public IP and the DMZ Edge server and a PIX firewall for now between the DMZ and LAN. We also have a Cisco 5510 sitting on the shelf that could most likely help the situation too but we don't have the time for now to install it...

    Thanks for any input!

  • #2
    Re: Exchange 2007, OWA and RRAS

    Any reason why you simply haven't opened port 443 straight to the Exchange server? Works fine and if the server is dedicated to Exchange (ie has nothing else installed) then it would be fine from a security point of view.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Exchange 2007, OWA and RRAS

      Thanks Simon,

      The way things are configured now are:
      - Public DNS record for mail.companyname.com pointing to our external IP on the Edge server
      - MX record for companyname.com pointing to our external IP on the Edge server
      - PIX NAT mapping the external IP to the Edge server DMZ IP
      - All of the same ports that were open when the E2K3 server was in the DMZ (same IP as the new Edge) which hosted the mailboxes, IIS, users, etc...

      If I wanted to open port 443 directly to the E2K7 server on the LAN, the PIX NAT mapping would need to be "outside to LAN" and not "outside to DMZ" like it is now. That means that incoming email would not get to the Edge server, right?

      I could have the public DNS record changed to another external IP then setup the NAT and open 443. I just thought it might be easier to use and manage RRAS.

      Thanks

      Comment


      • #4
        Re: Exchange 2007, OWA and RRAS

        I wouldn't even know where to try and use RRAS for this - even if it is possible.
        As far as I am concerned the whole idea of OWA is that a user can just open their browser and enter an address.

        Can you get a second IP address which you can use for OWA?

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Exchange 2007, OWA and RRAS

          The whole idea was that when a user entered the webmail URL, the Edge server, with the help of RRAS (or any other similar service), would forward the request to OWA.

          We have a class C range so another external IP isn't a problem. Was trying to avoid putting another one out somewhere that we don't manage...

          Thanks

          Comment


          • #6
            Re: Exchange 2007, OWA and RRAS

            Edge can't do that. Its one of the reasons why I don't deploy Edge - I feel it is a pointless product. I can do everything Edge does using other products for much less than an Exchange license. If it did OWA as well, then that would be a different matter. However if it did Edge then it would impact on sales of the answer to your question...

            You need ISA if you want to proxy OWA through another machine, as OWA needs direct access or uses a product that knows how to handle OWA.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment

            Working...
            X