none
Exchange 2016 protected external client access RRS feed

  • Question

  • Hello there,

    I'm planning an Exchange upgrade/migration from 2010 --> 2016 and have an architectural question:

    1)  I know that Exchange 2016 has radically simplified architecture in such that there are no more divided roll services to be spread across multiple servers, however that was actually one of the things that I liked about Exchange 2010 was the ability to have the CAS isolated in a DMZ network with very strict firewall rules between that and the rest of production.  With the simplified architecture, this does not seem to be possible with 2016 as there is no CAS role at all.  I'm less comfortable opening up Exchange IIS (however hardened) to the Internet; I realize that I can proxy all traffic through our firewall as a measure of protection, however that also adds a measure of complexity.  Short of double-homing Exchange and binding an IP from our DMZ network to the Exchange-Web, (which also seems like a bad idea) is there no other way to isolate external client access into a DMZ and additionally protect the production core from the Internet crazys?

    Thanks,


    The solution is always the last thing you look at... -M

    Monday, December 10, 2018 8:40 PM

All replies

  • Hi,

    Actually, it is not supported to place CAS server in DMZ. Microsoft doesn't test or support any typologies which put firewalls between a CAS and a Mailbox server. The only Exchange role which is supported for deployment in a perimeter network is the Edge Transport server role. For more details, please refer to:

    Exchange, Firewalls, and Support… Oh, my!

    To restrict external users access, you can open necessary ports on your firewall that is placed between external clients and internal Exchange organization. Here is the ports related to client access and mail flow.

    Network ports for clients and mail flow in Exchange

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by JayceYYY Wednesday, December 12, 2018 7:01 AM
    Tuesday, December 11, 2018 8:36 AM
    Moderator
  • Hi,

     

    How is everything going? If there is anything unclear or any update, please feel free to post it here. If you have solved the issue, please mark the solution as answer, which could be beneficial for answer searching in the forum.

     

    Thanks for your understanding.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, December 17, 2018 10:10 AM
    Moderator