HI.
First of all, placing the TS in the DMZ is quite risky, if from the TS you will be able to access the inside network as you are planning.
I think that a better design will be to control access to the TS server using VPN (either terminating at the pix or at the server itself. terminating at the pix seems better to me).
The possible problem in your design is that if an attacker gains access to the TS, it can then easily access your whole internal network via the PPTP connection.
Consider the following design - but you should remember that VPN is also a door for attackers:
* TS is still in DMZ, and Exchange is still "inside" as it is now (of course placing the mail server in DMZ is better if applicable).
* You configure the pix to terminate the VPN tunnels - better with IPSEC+RADIUS but if not then using PPTP.
* The pix configuration will allow VPN clients access ONLY to port 3389 to the TS.
* You allow access from TS to internal Exchange server using only a specific protocol. I suggest using IMAP with Outlook Express client. This is good for email but not for calendar. If you need calendar then you can use OWA via HTTP, accessible only to "inside" and "DMZ".
* There are many other options, like direct OWA or IMAP or POP3 access via the VPN tunnel. Each solution is different in its complexity, risks, usefullness for the end user and other factors.
Relating to your specific questions:
You will need a "static (inside,dmz) ..." command to allow the TS in the DMZ access the Exchange server in the "inside", using PPTP or any other protocol.
And no, VPDN does not need to be enabled on the DMZ interface. It should only be enabled on the outside interface for PPTP tunnels ENDING at the pix itself.
Oh, and I see that you're going to use TSAC so you probably have IIS on the TS, right? This is of course an additional major risk by itself. You did patch it with latest SRP right?
Bye
Yizhar Hurwitz
