0

We're finding that RDG (Remote Desktop Gateway role) and VPN (Remote Access Server role) and Exchange roles do not want to play nice on one Server 2008 R2 machine.

For this reason we've moved to virtualizing them on Hyper-V across two seperate machines, VM#1 and VM#2.

Remote Desktop Gateway and VPN (sstp; Remote Acces Server) are running on Server 2008 R2 Std on VM#1.

We want to virtualize our Exchange on Server 2008 R2 Std to VM#2.

At the moment we only have one IP address. Port 80 and 443 are directed to VM#1. Port 25 is directed to VM#2. We could easily deploy an edge server for exchange on VM#1 and point port 25 to VM#1 as well.

There is no TMG/ISA. No reverse proxy either.

We have a SAN/UCC SSL Certificate from a third party for:

  • mail.ourdomain.com
  • autodiscover.ourdomain.com
  • exchange.ourdomain.local <-- VM running Exchange mailbox and hub transport roles.
  • remote.ourdomain.local <-- VPN/RDP access.

We would like to keep VM#1 and VM#2 seperate, as opposed to installing Exchange CAS and Edge roles on VM#1 on top of what we currently have.

Does anyone have advice on how best to accomplish this setup with one IP, and one UCC/SAN cert rather than getting two IPs from our ISP and pointing the second IP to exchange on VM#2?

BabakBani
  • 81
  • 1
  • 8
  • Umm... you've totally lost me on what part you don't understand. You create a second VM, and then do what you said you're going to do with it. – SpacemanSpiff Mar 14 '12 at 04:32
  • Sounds like you are out of options other then running one of the two server's 443 services on a different port. TMG would be my first option, getting a 2nd IP would be next option. I suppose you could try running the three products on one server but I doubt it's supported. – Bret Fisher Mar 14 '12 at 05:22
  • The problem is when we install the Client Access Server role on top of VM#1, it takes over IIS and rewrites things to suit itself. We tried it in a lab environment and it changes authentication mode in a way that RDG and VPN don't like. It also changes the port range used by hhtp-rpc. It works, but barely in a broken way. – BabakBani Mar 14 '12 at 12:04
  • Thanks Bret, I've read TMG is going to be end-of-lifed by MS and either roled into another product or discontinued all together. It looks like we have to settle on the second IP address from our ISP and get a dual WAN device that can pass the IP and 443 port to the exchange box. – BabakBani Mar 14 '12 at 12:15
  • Another solution may be to wait for IIS8, as I see it handles SNI, which allows for hostname-binding to SSL, which eliminates the need for one IP/port to SSL. http://blogs.iis.net/wonyoo/archive/2012/03/01/iis-8-0-platform-features-for-web-hosters-and-service-providers.aspx – BabakBani Mar 14 '12 at 12:16
  • I rewrote the question to make it more clear. – BabakBani Mar 14 '12 at 15:22
  • Just get another IP, and convoluted work around is not worth the effort here. – SpacemanSpiff Mar 14 '12 at 15:31
  • thanks SpacemanSpiff. That's exactly the answer i was trying to get. I was wondering if this can be done with one IP or if we had to get another one for use with Exchange. From the discussion here it looks like getting the second IP is best bet. Any recommendations for hardware firewall appliance supporting dual WAN if we get the second IP? I've considered Cisco, HP and SonicWall. – BabakBani Mar 14 '12 at 19:32

1 Answers1

0

To sum up the suggestions:

1) Get a new IP from our ISP specifically for use with Exchange. This way port 443 traffic can be pointed to Exchange without the needed complexity of setting up IAS/TMG or a reverse proxy.

If installing the CAS role on the VM with RDG and VPN, then follow:

2) install an SNI based solution that can look at the SSL request and match it to the specific certificate for connecting to exchange.

3) use a SAN/UCC certificate that covers

4) extra config work to get CAS role to play nice with RDG: http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/1da9cd90-80f4-4087-9edf-2d9cfa1d312f/

BabakBani
  • 81
  • 1
  • 8