Solved

QWA Webserver

Posted on 2004-09-28
6
368 Views
Last Modified: 2012-06-21
I'm setting up exchange2003 in windows 2003 domain for 150 mailboxes. I have just been told I can't purchase the second exchange server license/hardware for the front end server. My original plan was frontend server for owa/ssl. Question: Can I run the OWA/SSL on my existing webserver? This windows server 2003 webserver sits in dmz and does not belong to domain.

Donnie
0
Comment
Question by:Donnie4572
  • 3
  • 3
6 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 12172306
OWA for Exchange 2003 must run on a member of the domain and it must be a full Exchange server. Therefore you will have to open port 443 to your backend Exchange server.
This is the way I do it for all of my clients - no one has given me a good reason to put an Exchange server in the DMZ. One Exchange MVP actually states that "There are no valid reasons for OWA/Exchange to be in the DMZ."

Simon.
0
 
LVL 12

Author Comment

by:Donnie4572
ID: 12172931
Thanks for reply. I'm new to exchange and need it to be as secure as possible.
So if the front end server is not in dmz then it's purpose is not security? What is the purpose of it being there? Why not just open 443 from internet to exchange?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12173064
A lot of people are under the illusion that putting all public facing services in the DMZ is the most secure option.
If the service is standalone then this is the case. However if the machine is a member of the domain then its best place is inside the firewall. To get a domain member to talk to the domain correctly requires a large number of holes being punched through the firewall and registry changes made to stop Exchange communicating on dynamic ports. This actually reduces the security of the inside network. An attacker gets in to the system in the DMZ then he can walk straight in to your production network from that compromised system.

My preference is to open just 2 ports for an Exchange system. 25 (SMTP) and 443 (HTTPS). I can monitor and control the traffic on these ports as required.

There are two main reasons for providing a frontend server, not one of them down to security.
1. If you have mutiple backend servers then the frontend sits in front of them, providing both OWA and SMTP with a single point of entry.
2. To take the load off the backend servers for OWA processing. With use of RPC/HTTP increasing the frontend server can be deployed to make use of that much easier.
With only 150 users, unless you have a very high number of remote users, using OWA and/or RPC/HTTP then a frontend server is overkill.

Simon.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 12

Author Comment

by:Donnie4572
ID: 12173661
Yes we have a high number of remote users. Are you saying that a front end server in the dmz creates unsecure enviornment? could you tell me if there are any problems hosting other sites on the iis server with exchange/owa?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 12173807
There is no problem, other than security concerns - locking down a server for public access can break OWA.

For that reason I wouldn't like to host a public web site on the same machine as OWA. I usually push the public web site out to a host who has more bandwidth than you - unless it needs access to internal services (ecommerce db for example).

However I have put externally facing internal web sites on the same server, usually also contained within a secure site.

Simon.
0
 
LVL 12

Author Comment

by:Donnie4572
ID: 12173836
Thanks Simon, you have beenlots of help.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now