Morning, My work is concerned about exposing our CAS array to the public internet. Initial thoughts are to place a single CAS in the DMZ with ports open to our internal network. I have obvious concerns with this approach, but it is gaining traction, so I need to know if this will even work. On our internal network are two AD sites, each site contains 2 CAS and 2 MBX (single DAG) and each has independent internet connectivity. Varying thoughts are floating around such as using mail.domain.com for the internal CAS array, and mobile.domain.com for the single CAS in the DMZ. Autodiscover will point to "mail" which should allow internal clients to auto configure. There is no desire for external clients to auto configure (or even laptops to function out of the office using Outlook Anywhere). Mobile devices would be statically configured to use the "mobile" namespace by IT, and external clients would connect to OWA via "mobile" as well.
A reverse proxy is not wanted, and NAT through the firewall to the CAS array is deemed too dangerous. I know the single CAS is a hole in the firewall anyway and also unsupported by MS, but would this scenario even work? Is there any impact to Outlook clients on the internal network seeing the CAS in the DMZ? Would I need to make the internal CAS array non internet-facing and the single DMZ based CAS internet-facing? Can a single AD site support both internet-facing and non facing CAS? Definitely open to suggestions here. This is not production yet - no coexistence as we use an old Linux mail server right now. Thanks, Tommy
