Kerberos delegation allows a particular program to impersonate other users for certain types of authentication.
Kerberos delegation requires an AD domain. Passing 443 internally to a RP is now considered "safe". If you don't think so, put ANOTHER RP in the DMZ. But then you will lose SSO. I think my comment about logoff issues was pretty clear. What is your specific question? From: [email protected] [mailto:[email protected]] On Behalf Of Rami SIK Sent: Thursday, November 13, 2014 2:35 PM To: [email protected] Subject: [Exchange] RE: Reverse proxy in Windows 2012 as front-end for Exchange 2013 Thanks for the hints, however, I have some more questions; Yes, I want SSO, but I am not sure what you meant by "SSO requires delegation" And since I want SSO, If not in DMZ, then do they go into the internal network? Doesn't that create a security risk to get the all connections into the local net without authenticating them? Are you saying that if I use ARR or WAP with SSO, I am likely to hit logoff issue? I am picky on that one, since I already tried KEMP device as the front-end with SSO in DMZ, and I already hit logoff issue with OWA. That's why I now started looking at the other alternatives where logoff works fine. Rami From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, November 13, 2014 11:12 AM To: [email protected]<mailto:[email protected]> Subject: [Exchange] RE: Reverse proxy in Windows 2012 as front-end for Exchange 2013 Both ARR and WAP work fine. Neither should be placed in the DMZ if you want SSO (SSO requires delegation). There is a bug in CU6 with logoff redirection, but unless you are also using UAG/TMG you won't hit it. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Rami SIK Sent: Thursday, November 13, 2014 11:56 AM To: '[email protected]' Subject: [Exchange] Reverse proxy in Windows 2012 as front-end for Exchange 2013 Has anybody been using reverse proxy (on Windows 2012 server) in their DMZ as front-end for their Exchange 2013 servers? This is for mainly OWA authentication. Does SSO work with reverse proxy? Any log-off issues out of the OWA page? Thanks! Rami ________________________________ If this message is not meant for you, do not use it - please let us know, and then delete it. We try hard to keep our messages and attachments free of viruses and other malicious programs, but are not liable if our precautions don't prevent their spread.
