locked
Edge w/o Reverse Proxy RRS feed

  • Question

  • I'm about to deploy a consolidated edge server, but we don't have anything in place for a remote proxying the web components - just a basic firewall.

     

    How "bad" would it really be to just have our External IP for the various web components' port 443 (meeting content download, Address Book Server, group expansion) be opened directly to the IIS server hosting the web components?

     

    This is a test scenario, so our primary objective is to have a working implementation of an edge server.  However, we probably won't be deploying ISA any time soon either, so we would likely do something similar in our production environment.  Any insight here?

    Monday, July 16, 2007 3:37 PM

Answers

  • There is no specific technical issue with this configuration.  Obviously security would be enhanced with a reverse proxy, but if you're comfortable with the security that your current model affords then it's fine to proceed.
    Wednesday, July 18, 2007 6:55 PM
    Moderator

All replies

  • There is no specific technical issue with this configuration.  Obviously security would be enhanced with a reverse proxy, but if you're comfortable with the security that your current model affords then it's fine to proceed.
    Wednesday, July 18, 2007 6:55 PM
    Moderator
  • Hello , did your solution work? I am solving similar problem now.

     

    thanks

    P

    Tuesday, January 22, 2008 1:42 PM
  • Hi, Is there any solution for this topic. Thanks.

     

    Wednesday, May 21, 2008 4:42 PM


  • You know already that you are exposing your web component server to the internet, the server which is part of your Active Directory.




    Regards,
    R. Kinker
    MCTS - LCS 2005, MCTS - OCS 2007
    http://www.ocspedia.com

    Saturday, May 24, 2008 11:44 PM
  • Any reverse proxy will do fine

    ISA Server is not required

     

    Thursday, May 29, 2008 9:38 PM
  •  

    The point of the Revrse proxy server is to allow you to use a Public certficate for external users, but still allow them to get to  your ABS information through your front end servers.  The internal Front Ends can still use an Internal CA this way.

     

    If you expose everything outside, then they will have to be able to get to your Internal server over port 443, and have a certficate that matches the external domain name they are trying to get to.  (SAN for external and internal names)

     

    Not sure if you will also have to allow access to your CA for CRL checking.


    I've seen it work, but wouldn't recommend it.

     

    Cheers.

     

    - Steve

    Wednesday, June 11, 2008 4:36 PM