?
Solved

QWA Webserver

Posted on 2004-09-28
6
Medium Priority
?
404 Views
Last Modified: 2012-06-21
I'm setting up exchange2003 in windows 2003 domain for 150 mailboxes. I have just been told I can't purchase the second exchange server license/hardware for the front end server. My original plan was frontend server for owa/ssl. Question: Can I run the OWA/SSL on my existing webserver? This windows server 2003 webserver sits in dmz and does not belong to domain.

Donnie
0
Comment
Question by:Donnie4572
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 12172306
OWA for Exchange 2003 must run on a member of the domain and it must be a full Exchange server. Therefore you will have to open port 443 to your backend Exchange server.
This is the way I do it for all of my clients - no one has given me a good reason to put an Exchange server in the DMZ. One Exchange MVP actually states that "There are no valid reasons for OWA/Exchange to be in the DMZ."

Simon.
0
 
LVL 12

Author Comment

by:Donnie4572
ID: 12172931
Thanks for reply. I'm new to exchange and need it to be as secure as possible.
So if the front end server is not in dmz then it's purpose is not security? What is the purpose of it being there? Why not just open 443 from internet to exchange?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12173064
A lot of people are under the illusion that putting all public facing services in the DMZ is the most secure option.
If the service is standalone then this is the case. However if the machine is a member of the domain then its best place is inside the firewall. To get a domain member to talk to the domain correctly requires a large number of holes being punched through the firewall and registry changes made to stop Exchange communicating on dynamic ports. This actually reduces the security of the inside network. An attacker gets in to the system in the DMZ then he can walk straight in to your production network from that compromised system.

My preference is to open just 2 ports for an Exchange system. 25 (SMTP) and 443 (HTTPS). I can monitor and control the traffic on these ports as required.

There are two main reasons for providing a frontend server, not one of them down to security.
1. If you have mutiple backend servers then the frontend sits in front of them, providing both OWA and SMTP with a single point of entry.
2. To take the load off the backend servers for OWA processing. With use of RPC/HTTP increasing the frontend server can be deployed to make use of that much easier.
With only 150 users, unless you have a very high number of remote users, using OWA and/or RPC/HTTP then a frontend server is overkill.

Simon.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 12

Author Comment

by:Donnie4572
ID: 12173661
Yes we have a high number of remote users. Are you saying that a front end server in the dmz creates unsecure enviornment? could you tell me if there are any problems hosting other sites on the iis server with exchange/owa?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 1000 total points
ID: 12173807
There is no problem, other than security concerns - locking down a server for public access can break OWA.

For that reason I wouldn't like to host a public web site on the same machine as OWA. I usually push the public web site out to a host who has more bandwidth than you - unless it needs access to internal services (ecommerce db for example).

However I have put externally facing internal web sites on the same server, usually also contained within a secure site.

Simon.
0
 
LVL 12

Author Comment

by:Donnie4572
ID: 12173836
Thanks Simon, you have beenlots of help.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question