3

Currently I run Forefront TMG to reverse proxy Exchange 2010 to the outside world.

I am now preparing an Exchange 2016 environment and with Forefront TMG getting obsolete, I want a solution without it. I now have pfSense and HAProxy as first line of defense and load balancing.

The question I have: Should you add a reverse proxy between the load balancer and Exchange? Where is this beneficial? It all runs from the same hypervisor and storage infra beneath.

I know HAPrxoy 1.8 now has the ability of small objects in-memory caching, which might accelerate the web services. But on the other hand, only OWA and ECP have some static content.

Any ideas?

Greetings,

Ronald

Chris
  • 324
  • 1
  • 3
  • 12
user292026
  • 133
  • 4

1 Answers1

5

I have Azure AD App proxy to front-end my on-prem Exchange environment. The reasons to do it are all around security.

With an external proxy layer, you can implement whatever other rules you want that Exchange doesn't natively implement. IP restrictions, geoIP restrictions, multifactor authentication, etc - whatever your proxy will support.

You don't have ports 80 and 443 open to your Exchange servers, which run Windows, and might have unknown vulnerabilities. You're depending on your proxy to have fewer vulnerabilities, obviously - but even if they get owned, as long as the proxy isn't a domain member and is in some form of DMZ, the amount of damage that an pwned proxy machine can do is hopefully much smaller than an owned Exchange machine.

Caveat - If your proxy doesn't give you more security features and/or reduce your attack surface, then all you've done is complicate your environment without any payoff.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • Yep, thought so, rev proxy adds an extra layer of defense, where HAProxy might fall short, although it also have some ACL possibilities within. But multifactor is a good case, better to terminate that on the proxy (or NetScaler in my case). But why would you place a cloud based proxy in front of your on prem solution? To me that feels adding latency and possibly availability (you don't own the chain end 2 end). – user292026 Dec 13 '17 at 07:19
  • Here's a link to my write-up: https://www.reddit.com/r/AZURE/comments/68uz3i/implemented_mfa_for_owa_activesync_with_onprem/ – mfinni Dec 13 '17 at 14:21
  • Short story - it was the easiest/cheapest way to get MFA for ActiveSync clients, by using conditional access policies that look for InTune compliance, and InTune registration itself was made to require MFA. – mfinni Dec 13 '17 at 14:22
  • As for adding latency - maybe, but who cares for email? It's a stepping-stone to Office365 hosted email for us, which means we won't own any of the chain. Dipping our toes into cloud for part of our email access layer is just fine. – mfinni Dec 13 '17 at 14:23
  • OK, I am hosting email myself, despite MS efforts to push me to Azure as well =). I have also Azure MFA, but deployed as part of my Netscaler 2f strategy and that works fine. I am also hosting XenApp with end users and mailboxes, so hosting mail myself is the best for the end user experience. XenDesktop is different, coz that allows OST files, where XenApp does not. But since I have a Netscaler with MFA, I was also figuring to put everything behind my NetScaler farm. Interesting write up BTW. Wondering if that works for EAS and Outlook Mapi as well though. – user292026 Dec 13 '17 at 23:57
  • It works for all Exchange protocols. We had some authentication protocol-level issues with Outlook for Mac, but the Azure team fixed that in April or May, I think. – mfinni Dec 14 '17 at 16:38
  • Update - The latest version of Outlook 2016 won't connect to Exchange 2010 on-prem via Azure AD App Proxy. – mfinni Jan 10 '18 at 23:58
  • Good advice in the era of Hafnium. – Chalky Mar 05 '21 at 08:42