Solved

QWA Webserver

Posted on 2004-09-28
6
358 Views
Last Modified: 2012-06-21
I'm setting up exchange2003 in windows 2003 domain for 150 mailboxes. I have just been told I can't purchase the second exchange server license/hardware for the front end server. My original plan was frontend server for owa/ssl. Question: Can I run the OWA/SSL on my existing webserver? This windows server 2003 webserver sits in dmz and does not belong to domain.

Donnie
0
Comment
Question by:Donnie4572
  • 3
  • 3
6 Comments
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
OWA for Exchange 2003 must run on a member of the domain and it must be a full Exchange server. Therefore you will have to open port 443 to your backend Exchange server.
This is the way I do it for all of my clients - no one has given me a good reason to put an Exchange server in the DMZ. One Exchange MVP actually states that "There are no valid reasons for OWA/Exchange to be in the DMZ."

Simon.
0
 
LVL 12

Author Comment

by:Donnie4572
Comment Utility
Thanks for reply. I'm new to exchange and need it to be as secure as possible.
So if the front end server is not in dmz then it's purpose is not security? What is the purpose of it being there? Why not just open 443 from internet to exchange?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
A lot of people are under the illusion that putting all public facing services in the DMZ is the most secure option.
If the service is standalone then this is the case. However if the machine is a member of the domain then its best place is inside the firewall. To get a domain member to talk to the domain correctly requires a large number of holes being punched through the firewall and registry changes made to stop Exchange communicating on dynamic ports. This actually reduces the security of the inside network. An attacker gets in to the system in the DMZ then he can walk straight in to your production network from that compromised system.

My preference is to open just 2 ports for an Exchange system. 25 (SMTP) and 443 (HTTPS). I can monitor and control the traffic on these ports as required.

There are two main reasons for providing a frontend server, not one of them down to security.
1. If you have mutiple backend servers then the frontend sits in front of them, providing both OWA and SMTP with a single point of entry.
2. To take the load off the backend servers for OWA processing. With use of RPC/HTTP increasing the frontend server can be deployed to make use of that much easier.
With only 150 users, unless you have a very high number of remote users, using OWA and/or RPC/HTTP then a frontend server is overkill.

Simon.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 12

Author Comment

by:Donnie4572
Comment Utility
Yes we have a high number of remote users. Are you saying that a front end server in the dmz creates unsecure enviornment? could you tell me if there are any problems hosting other sites on the iis server with exchange/owa?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
Comment Utility
There is no problem, other than security concerns - locking down a server for public access can break OWA.

For that reason I wouldn't like to host a public web site on the same machine as OWA. I usually push the public web site out to a host who has more bandwidth than you - unless it needs access to internal services (ecommerce db for example).

However I have put externally facing internal web sites on the same server, usually also contained within a secure site.

Simon.
0
 
LVL 12

Author Comment

by:Donnie4572
Comment Utility
Thanks Simon, you have beenlots of help.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Resolve DNS query failed errors for Exchange
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now