Announcement

Collapse
No announcement yet.

Exchange 2013 for a global organization - security question.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2013 for a global organization - security question.

    For a large organization setup that has offices in multiple location and lots of external webmail and mobile users (60k users globally), does it make sense to setup the following:
    1) Internal MBXs DAG
    2) Internal CAS array
    3) External CAS array for security purpose
    An Exchange engineer told us that it is not advisable to setup external CAS array (on the DMZ) due to the vast amount of ports that needed to be opened on the firewall. Is that correct?


    PY

  • #2
    Re: Exchange 2013 for a global organization - security question.

    Sembee will give a more authoritative answer but I would say yes, avoid external CAS arrays as you will have to open multiple ports in your firewall. Probably better to proxy port 443 only through the DMZ to some sort of load balancer in front of your internal CAS array.

    DAGs are (IMHO) a no brainer.

    For that scale of operation, get a consultant to work with you on the environment.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Exchange 2013 for a global organization - security question.

      3) External CAS array for security purpose

      Elaborate on what you mean by that. What security purpose, specifically?

      What security threats are you specifically trying to mitigate and how would implementing an external CAS array achieve that?

      People throw the word "security" around way too much without providing any context and without providing any information about specific threats that they're trying to mitigate or how they plan to mitigate those threats.

      Comment


      • #4
        Re: Exchange 2013 for a global organization - security question.

        1: Yep. Dependent on interconnection between sites, stretched DAGs are an options which could provide site resiliency. But do read up on this subject.
        2: Well, 2013 does not have a CAS Array in the strictest sense. But if you mean load balanced CAS servers, yeah.
        3: See 2 for my remark on CAS Arrays. However, placing an Exchange server in a DMZ/Perimeter network with active firewalls between networks with other Exchange servers is NOT supported (exception is the Edge Transport server, but that only handles SMTP). You had it with Exchange 2003 with the front-end/back-end server solution, but it basically makes your firewall a big swiss cheese (full of holes) and overly complicated. See also this link regarding this subject with Exchange 2007/2010 and IMHO still relevant for 2013.

        A reverse proxy/firewall with intrusion detection could deliver more security, perhaps combined with two-factor authentication. However, Exchange 2013 is relatively secure compared to previous versions of Exchange. So it might be prudent to sum up the security risks you specifically want to mitigate and plan accordingly.

        Comment


        • #5
          Re: Exchange 2013 for a global organization - security question.

          @dmstork - Thanks for the info, esp item 3.

          @joeqwerty - True statement about security. With the view of traditional security whereby exposing an internal server to the internet from inside the firewall is a high risk, that's where I'm coming from. However, after more research (being thrown under the bus by mgmt to do Exch2013 w/o trainnig), apart from MS not supporting such implementation, the solution of resverse proxy and load balancers w/SSL would seem to be the best option as many experts suggested.

          Comment

          Working...
          X