Exchange 2007 Client Access and Hub Transport servers in the DMZ
I am seeing some chatter on the newsgroups and web forums as to what ports to open up on a firewall to allow the Client Access and Hub Transport server roles to be placed in the perimeter / DMZ network. Do not do this. Microsoft neither recommends this configuration nor is it supported. You have to open up too many ports on the firewall. If you need to terminate external HTTP/HTTPS connections from the Internet in your DMZ, put a reverse proxy there. Squid is a good freebie that runs on Linux, ISA Server, and BlueCoat are also good solutions.
Here is the official word from Microsoft:
"You can install the Client Access server role on an Exchange 2007 computer that is running any other server roles except for the Edge Transport server role. You cannot install the Client Access server role on a computer that is installed in a cluster. Installation of a Client Access server in a perimeter network is not supported."
Labels: Exchange 2007