The Client Access Server role was introduced in Exchange Server 2007 to provide a more scalable and secure way...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
to connect internal and external clients to Exchange mailboxes. Exchange Server 2013 also leverages this server role.
The default configuration of the Client Access Server (CAS) role is to internally require secure connections to Outlook Web App (OWA). It does so by creating a self-signed certificate during installation and automatically assigning the "IIS" services to the certificate. OWA is one of the IIS services the certificate protects. Forms-Based Authentication, which depends on the SSL connection, is the default authentication method for OWA. A certificate from a trusted internal or public certificate authority can replace the self-signed certificate. For OWA access, the same level of security exists for external and remote connections, but it's necessary to configure the OWA virtual directories on the Internet-facing CAS.
For many years, a best practice was to publish Exchange services to the Internet using a reverse proxy. This was so common that Microsoft's Threat Management Gateway (TMG) was practically an additional Exchange role for publishing Exchange services such as OWA. However, most Exchange administrators are aware that Microsoft is no longer deploying TMG and it isn't possible to purchase the product for new deployments.
In the absence of the TMG, what's the best choice? What you choose will depend on your organization.
If you require that external connections terminate in the DMZ but do not require pre-authentication, you can use Application Request Routing. If you require pre-authentication for connections, use Windows Application Proxy. When deploying a highly available CAS, it may be possible to use a hardware load balancer (HLB) to provide protection for your external OWA connections.
You may be wondering if it's crazy to allow a direct connection from the Internet through your firewall or HLB to the CAS role. Not necessarily. Greg Taylor, principal program manager for the Exchange team, provides some excellent insight on this topic in his blog about life in a post-TMG world. Microsoft has made a significant investment in Exchange to make sure it's more securely coded to eliminate threats. Applying product updates in a timely fashion and a rigorous monitoring process could be far more effective than a black box perimeter option.
About the author:
Richard Luckett is a consultant and instructor specializing in messaging and unified communications. He's been a certified professional with Microsoft since 1996 and has 20 years of experience in the public and private sectors. He's a Microsoft Certified Trainer with more than 15 years of training experience with the Microsoft product line and received the Exchange MVP award in 2006, 2007 and 2008. He's also an expert in deploying and integrating Exchange Server and Lync Server. He leads the Microsoft training and consulting practice at LITSG.
Dig Deeper on Microsoft Outlook
Related Q&A from Richard Luckett
Some folders in a mailbox on Exchange Server 2013 are not showing up on the folder list in the OWA virtual directory but do appear in other views.continue reading
We have a Client Access Server and Mailbox Server on Exchange 2013 and we want to install an Edge Transport role on another machine. I joined the ...continue reading
How can I enable Outlook Anywhere to allow internal use for all users and external use for only some users in Exchange 2013?continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.