Secure access to Exchange

Placing an Exchange Front-end server in the DMZ does nothing to increase security.

This configuration increases complexity and opens many holes through your firewall. How many of those firewalls are inspecting that traffic? An Exchange Front-end server should be implemented for performance and to serve OWA in multiple mailbox (back-end) server configurations. The best solution for offering secure remote access to Exchange Server is via ISA Server, whether this is the edge-firewall or as a bastion host in the DMZ.

This presentation by Steve Riley is an excellent resource for explaining why ISA Server offers the best protection for access to Exchange. Everyone involved in deploying or administering Exchange should read it.