I'm reading through the documentation for deploying Exchange 2007, and I'm puzzled by one section. I was intending to place the Edge role on its own non-domain machine in the DMZ, and the remaining roles on another machine in the DMZ. The thought was that the edge role would only have the requisite ports open for mail delivery, and it would be able to access the backend server hosting the other roles since they are in the same network segment. The backend server would be running CAS role (among others), providing OWA and Exchange Activesync through the firewall. The only ports open from the DMZ to the internal private network would be the required ports for AD auth for the backend server.
The problem comes from the fact that everything I'm reading says that the edge role should be in the DMZ as described, but that the remaining roles should not be in the DMZ, but rather in the private LAN. It goes on to say that OWA and Exchange ActiveSync should be published vis ISA, or exposed directly to the internet. I don't have (or particularly want) ISA server, and it seems counter intuitive to expose a server on the private LAN directly to the internet.
Am I mis-reading this? Should I just put the backend server in the DMZ as planned and be done with it?
The reason for Microsoft recommending that you use use ISA to publish OWA to the Internet is to overcome the "counterintuituve" feeling you're having re: exposing a server on the LAN directly to the Internet (at least, at layer 3).
I wouldn't put my backend server hosting the other Exchange roles into the DMZ, if for no other reason than I don't think I'd want to expose my firewall device to all the Outlook client traffic from computers on the LAN.
If you're not comfortable with exposing the server hosting OWA and ActiveSync at layer 3, grab some open source HTTP proxy and put it in place between the Internet and the LAN to proxy HTTP into OWA.
Depending on your size & needs, you may just want to skip the edge role and go with a 3rd party virus/spam filter (appriver, postini, etc). We went that route, since it was the only Edge functionality we need, and I didn't particularly feel like using ISA server, either.