Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.

Thursday, October 22, 2009

Using Reverse Proxies for Front Ending Exchange

The Microsoft Exchange Team Blog wrote this week on the topic of Exchange 2010 (and 2007) Client Access Servers in the perimeter network, similar to the way "FE" (front end) servers are placed for Exchange 2000/2003. Their recommendation? Don't do it.

Instead the recommendation is to use reverse proxies. Their explanation:
Reverse Proxies are built to be put in the perimeter network or at the edge of the network. They include many security features and flexibility for customers to determine the level of defense-in-depth which is right in any particular environment.


If Microsoft recommended FE servers to be in the perimeter network for 2000/2003, what are the other reasons they've changed their stance for Exchange 2007 and 2010? Here's some of the more detailed rationale:

The E2000/E2003 FE servers were there to authenticate users and proxy traffic to the BE server where the traffic was actually interpreted and responded to. For example, the FE servers in E2000/E2003 don't do any Outlook Web Access (OWA) rendering. That all takes place on the BE servers.

The E2007/E2010 CAS role on the other hand contains all middle-tier logic and rendering code for processes like OWA, Exchange ActiveSync (EAS), Exchange Web Services (EWS), and more.


It looks like Microsoft is coming around to what we've known here all along, which is the proxy is still the best solution for securing web traffic coming into and out of the organization.

(Side note: I love the title of their blog "You had me at EHLO" - as a former postmaster, I can really appreciate it.)

No comments: