Hello,
I need a bit of clarification in regards to the setup I would like to accomplish.
My setup:
TMG 2010 with 2 NICs with the latest SPs and patches
Exchange 2007 server - legacy.company.com (CAS only) - latest SP and rollups.
Exchange 2013 server - webmail.company.com (CAS+MBX) - CU2
Symantec Enterprise Vault server - evault.company.com (IIS) - Up to date with latest SP for OS and latest patches for eVault.
Certificates available for each FQDN along with wildcard cert that has been acquired for this and other purposes.
In front of the environment there's a firewall with defined 3 external IPs each routed to servers listed above.
We're trying to achieve the following goals:
1. Reduce as much as possible, usage of external IPs, ideally to a single one. As in this particular case the external IPs are extremely expensive.
2. Route all the incoming traffic through TMG 2010 server for all 3 "web servers" (OWA on both Exchanges and IIS to eVault)
So, is that possible to have one single listener on the TMG to accept the incoming https traffic on the DMZ interface (TMG will be used for EXTERNAL access only) and route it appropriately to the required server based on the destination?
In order to provide more clarification, here's the scenario for the user access that I would like to have.
Current setup:
1. User outside of the organization, opens a browser and types: https://webmail.company.com/owa
2. He get an Exchange 2013 OWA logon page.
3. User puts in the credentials and access the mailbox on Exchange 2013.
4. User clicks on the link within an old email, that has its attachment archived.
5. A new browser window opens up and redirects the user to eVault server, something like this: https://internalfqdn.company.loc/enterprisevault/blah.blah.blah (this link, I would like to be able to replace with https://evault.company.com//enterprisevault/blah.blah.blah)
6. In case of the user's mailbox is located on Exchange 2007, the user is redirected to https://legacy.company.com/exchange.
Currently, the described functionality properly works from the internal network.
What I would to be able to do, if possible.
1. Have 1 single IP for the following fqdns: legacy.company.com, webmail.company.com, evault.company.com
2. TMG capable of routing the incoming request based on the FQDN, e.g legacy.company.com -> internal IP of the Exchange 2007 server, webmail.company.com -> internal IP of Exchange 2013 server, evault.company.com -> internal IP of the enterprise vault server.
3. TMG to replace, on the fly url of internalfqdn.company.loc with evault.company.com
Please note, zone company.com is also available from inside the organization. (split-DNS)
Thank you for reading this lengthy post.
I need a bit of clarification in regards to the setup I would like to accomplish.
My setup:
TMG 2010 with 2 NICs with the latest SPs and patches
Exchange 2007 server - legacy.company.com (CAS only) - latest SP and rollups.
Exchange 2013 server - webmail.company.com (CAS+MBX) - CU2
Symantec Enterprise Vault server - evault.company.com (IIS) - Up to date with latest SP for OS and latest patches for eVault.
Certificates available for each FQDN along with wildcard cert that has been acquired for this and other purposes.
In front of the environment there's a firewall with defined 3 external IPs each routed to servers listed above.
We're trying to achieve the following goals:
1. Reduce as much as possible, usage of external IPs, ideally to a single one. As in this particular case the external IPs are extremely expensive.
2. Route all the incoming traffic through TMG 2010 server for all 3 "web servers" (OWA on both Exchanges and IIS to eVault)
So, is that possible to have one single listener on the TMG to accept the incoming https traffic on the DMZ interface (TMG will be used for EXTERNAL access only) and route it appropriately to the required server based on the destination?
In order to provide more clarification, here's the scenario for the user access that I would like to have.
Current setup:
1. User outside of the organization, opens a browser and types: https://webmail.company.com/owa
2. He get an Exchange 2013 OWA logon page.
3. User puts in the credentials and access the mailbox on Exchange 2013.
4. User clicks on the link within an old email, that has its attachment archived.
5. A new browser window opens up and redirects the user to eVault server, something like this: https://internalfqdn.company.loc/enterprisevault/blah.blah.blah (this link, I would like to be able to replace with https://evault.company.com//enterprisevault/blah.blah.blah)
6. In case of the user's mailbox is located on Exchange 2007, the user is redirected to https://legacy.company.com/exchange.
Currently, the described functionality properly works from the internal network.
What I would to be able to do, if possible.
1. Have 1 single IP for the following fqdns: legacy.company.com, webmail.company.com, evault.company.com
2. TMG capable of routing the incoming request based on the FQDN, e.g legacy.company.com -> internal IP of the Exchange 2007 server, webmail.company.com -> internal IP of Exchange 2013 server, evault.company.com -> internal IP of the enterprise vault server.
3. TMG to replace, on the fly url of internalfqdn.company.loc with evault.company.com
Please note, zone company.com is also available from inside the organization. (split-DNS)
Thank you for reading this lengthy post.
Memento Mori
