I'm reading through the documentation for deploying Exchange 2007, and I'm puzzled by one section. I was intending to place the Edge role on its own non-domain machine in the DMZ, and the remaining roles on another machine in the DMZ. The thought was that the edge role would only have the requisite ports open for mail delivery, and it would be able to access the backend server hosting the other roles since they are in the same network segment. The backend server would be running CAS role (among others), providing OWA and Exchange Activesync through the firewall. The only ports open from the DMZ to the internal private network would be the required ports for AD auth for the backend server.
The problem comes from the fact that everything I'm reading says that the edge role should be in the DMZ as described, but that the remaining roles should not be in the DMZ, but rather in the private LAN. It goes on to say that OWA and Exchange ActiveSync should be published vis ISA, or exposed directly to the internet. I don't have (or particularly want) ISA server, and it seems counter intuitive to expose a server on the private LAN directly to the internet.
Am I mis-reading this? Should I just put the backend server in the DMZ as planned and be done with it?