Understanding External Access to Exchange 2010
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
This topic describes how to configure firewalls for use with a Microsoft Exchange Server 2010 Client Access server. You can use software and hardware solutions as a firewall to help secure your messaging environment. We recommend that you use an advanced firewall server such as Microsoft Internet Acceleration and Security (ISA) Server 2006 with Exchange 2010 because these two products are designed to work together to help secure and enhance the client access experience.
Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010
When you publish Exchange for access from the Internet, Microsoft offers two software-based options: Microsoft Forefront Threat Management Gateway 2010 and Microsoft Forefront Unified Access Gateway 2010. Both options offer publishing wizards and security features to provide secure access to Exchange when it's accessed from outside the safety of the corporate network. For more information about Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010, see Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010.
ISA Server 2006 and Exchange 2010
ISA Server 2006 and Exchange 2010 coexist and provide an increased level of security for your messaging environment. When you use the New Exchange Publishing Rule Wizard to configure your ISA Server computer to allow client access, you automatically configure ISA Server settings that are required for the features in both Exchange 2010 and ISA Server 2006 to work correctly.
Earlier Versions of ISA Server and Exchange 2010
When you deploy Exchange 2010, we recommend that you upgrade any earlier versions of ISA Server that you're using. Deploying Exchange 2010 in an environment that was configured to use an earlier version of ISA Server, such as ISA Server 2004, requires changes to any ISA Server rules you configured for client access.
When you configure ISA Server 2004 or ISA Server 2000, you'll have to create new server or Web publishing rules for the Client Access servers you want your users to access. The following table describes the virtual directories to use as paths for the Web and server publishing rules you must create for client access to Exchange when you use an earlier version of ISA Server than ISA Server 2006. Make sure that you use only the paths for the client applications you plan to use. For example, if you don't plan to use Microsoft Exchange ActiveSync, you don't have to publish the Microsoft-Server-ActiveSync virtual directory.
Exchange 2010 virtual directories used as paths in ISA Server publishing rules
Path Name | Description |
---|---|
/owa |
This virtual directory is used by Outlook Web App to access mailboxes on Exchange 2007 or Exchange 2010 Mailbox servers. |
/public |
This virtual directory is used by Outlook Web App to access public folders for mailboxes that are located on computers running Exchange 2010, Microsoft Exchange Server 2007, Exchange Server 2003, or Exchange 2000 Server. |
/exchweb |
This virtual directory is used by Outlook Web App for mailboxes on computers running Exchange 2003 or Exchange 2000. |
/ecp |
This virtual directory is used by the Exchange Control Panel. |
/exchange |
This virtual directory is used by Outlook Web App to access mailboxes on computers running Exchange 2003 or Exchange 2000. |
/UnifiedMessaging |
This virtual directory is used for access to Unified Messaging. |
/Microsoft-Server-ActiveSync |
This virtual directory is used by ActiveSync in Exchange 2007 or Exchange 2010. |
/EWS |
This virtual directory is used for Exchange Web Services. |
/Autodiscover |
This virtual directory is used by the Autodiscover service for the Exchange ActiveSync and Outlook clients. |
/rpc |
This virtual directory is used by the Outlook Anywhere feature in Outlook 2007 or Exchange 2010. |
© 2010 Microsoft Corporation. All rights reserved.