3

Currently I run Forefront TMG to reverse proxy Exchange 2010 to the outside world.

I am now preparing an Exchange 2016 environment and with Forefront TMG getting obsolete, I want a solution without it. I now have pfSense and HAProxy as first line of defense and load balancing.

The question I have: Should you add a reverse proxy between the load balancer and Exchange? Where is this beneficial? It all runs from the same hypervisor and storage infra beneath.

I know HAPrxoy 1.8 now has the ability of small objects in-memory caching, which might accelerate the web services. But on the other hand, only OWA and ECP have some static content.

Any ideas?

Greetings,

Ronald

Chris
  • 334
  • 1
  • 3
  • 12
user292026
  • 133

1 Answers1

5

I have Azure AD App proxy to front-end my on-prem Exchange environment. The reasons to do it are all around security.

With an external proxy layer, you can implement whatever other rules you want that Exchange doesn't natively implement. IP restrictions, geoIP restrictions, multifactor authentication, etc - whatever your proxy will support.

You don't have ports 80 and 443 open to your Exchange servers, which run Windows, and might have unknown vulnerabilities. You're depending on your proxy to have fewer vulnerabilities, obviously - but even if they get owned, as long as the proxy isn't a domain member and is in some form of DMZ, the amount of damage that an pwned proxy machine can do is hopefully much smaller than an owned Exchange machine.

Caveat - If your proxy doesn't give you more security features and/or reduce your attack surface, then all you've done is complicate your environment without any payoff.

mfinni
  • 36,892