Using Forefront TMG 2010 Server as a Reverse Proxy in the DMZ Network to Secure Exchange Client Access Server (CAS)
Many organizations expose their Client Access Servers directory to the Internet. These organizations often locate the Client Access Server role in the perimeter network, which is not recommended. It should not be in the DMZ i.e., at the perimeter. Network and Security Administrator normally place Client Access Servers at DMZ in their design because it is directly accessible from the Internet using HTTPS. What they don’t realize is that the Client Access Server connects to the Mailbox server using a MAPI RPC to submit messages to the mailbox database, or read messages wherein MAPI RPC may utilize random and / or any number of ports. The Client Access server also connects to a Microsoft Active Directory service domain controller using Kerberos to authenticate the user on a separate channel which also leaves some vulnerability there whereas it can utilize a single channel. Therefore, Client Access Server placed in perimeter is open to high-level access with Exchange organization and a number of ports must also opened to provide AD access for our Client Access Server, which leaves a rather large hole for potential attacks.
Microsoft recommends Client Access Server deployed in each Active Directory site that has Mailbox servers. It helps Client Access servers have a fast network connection to Mailbox servers and to support RPC connectivity, connectivity to domain controllers and to global catalog servers. So deploying the Client Access server role in a perimeter network is not recommended . Instead, use of an application layer firewall, in this case, Microsoft Forefront TMG 2010 used as reverse proxy server in an existing network to publish the Client Access Server services to the Internet is recommended. This helps to reduce direct exposure of Client Access Servers to the Internet. In addition, you get the benefit of Pre-authentication on reverse proxy, which ensures that no unauthenticated traffic reaches the Intranet Servers. On top of this, Forefront TMG 2010 powerful stateful packet and application firewall is able to perform application inspection to help ensure that there are no dangerous commands or payloads in the communication. Its SSL bridging also inspects and prevents exploits such as being hidden from within as SSL tunnel, that is to say a tunnel is also under the scrutiny of TMG which make things even more secure by closely inspecting / checking all traffic to Client Access Servers for potential HTML exploits and nonstandard HTML requests, before being introduced to your LAN.
Microsoft Forefront TMG 2010 provides additional layer of security for Client Access Server without bringing major changes to the existing network infrastructure. Forefront TMG 2010 reverse proxy intercepts inbound HTTPS requests and inspects them before passing them on to the Internal Client Access Servers. In addition, re-authentication on reverse proxy takes place, which ensures that no unauthenticated traffic reaches Intranet Servers (Client Access Servers).