And a follow-up…
So I was the individual who wrote up this question initially and I do have some followup questions. I read about the MS recommendation of deploying in ISA server along with the CAS server to provide the necessary security – but I guess I was looking for a different solution that didn’t involve deploying a horrible Microsoft product to solve their forced insecure architectural problem.
Does Halock currently use a reverse proxy server for their CAS server? I doubt it. In fact, I know almost no companies that do this.
So it seems to me like people have just decided to ignore PCI for this particular issue that MS has created.. If the only solution Microsoft offers to be compliant with PCI while still allowing an architecturally blessed email system is to install their horrible designed firewall product I am not sure what to say…
Well, the idea is to use a reverse proxy to keep the CAS from being exposed to the Internet. That doesn’t mean you need to use ISA Server. Of course, that’s what Microsoft will talk about, but any reverse proxy will do. At Halock, we have a policy of never disclosing details about our own internal infrastructure design, but I will say that a popular approach is to use a Web Application Firewall (a Layer-7 firewall) to handle the pre-authentication and proxy functionality. There’s often no need to deploy a separate proxy server.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services