No announcement yet.

CAS or ISA with Exchange 2007

  • Filter
  • Time
  • Show
Clear All
new posts

  • CAS or ISA with Exchange 2007


    I had a big question, and really no real answer.

    Exchange 2007 came with the CAS role, so users outside the company can synchronize/access to their email. CAS role server seems to take the place of the frontend server of a Exchange 2003 configuration.

    Therefore i cannot take a decision between CAS alone or ISA 2006 + CAS.
    I had a fireWall appliance, so i only open both 80 and 443 ports to allow access. The CAS server is able to manage SSL for the outside devices, and if I use a specific server for the CAS role, I saw this as a secure way for my customers to get their email.

    But everywhere on the net, lots of people use an ISA server in a DMZ area. What's the utility ? Is this configuration really useful ? Of course an ISA server in a DMZ which allow access to a CAS server in the trusted area seems to be more secure than to directly access to the CAs server in the trusted area.

    So your opinions: ISA or not ?

    thanks for the answer,


  • #2
    Re: CAS or ISA with Exchange 2007

    By myself, is the situation and the answer clear.
    ISA yes
    Exch+ISA is a most secure than Appliance and Exch. On ISA inside domain your connection terminated on ISA server. You can public service only what you want. When you install appliance, connection was terminated on CAS server inside your network.
    If you could be securely you have to deploy PKI or certs authorization. Your appliance have to be support this option.
    In ISA server you have many scenarios for publishing your service.

    be sure, nobody know what you think, but we know what you do.


    • #3
      Re: CAS or ISA with Exchange 2007

      Thank you Mayo for your answer.
      If I use an ISA server inside my DMZ, i had to open port 443 (eventually port 80) for an access to the resources provided by the ISA server.

      Isn't ISA an another brick in the security, a second level of control or is it, as you wrote, a more flexible and secure way to operate ?
      In this case, my firewall (physical device) is only here to control my internal users on their internet usage or for specific use (web site blocking, VPN remote connection, nti-spam ...)




      • #4
        Re: CAS or ISA with Exchange 2007

        Forefront TMG (Replacement for ISA) has just been RTM'd, and as it is 64-bit it is possible to install the Edge Transport Role on it as well, an option you don't have with ISA as it is 32-bit only. TMG features all of the publishing options ISA had, as well as lots of new options such as inbuilt web filtering (with subscription), WAN failover/load balancing and SSL VPNs.

        It's (as always) a question of costs vs benefits. If this was a new install I'd say TMG, but as you have a firewall already can you justify the expense of a new server, a Windows 2008 license and a TMG license?
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        Cruachan's Blog