Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

QWA Webserver

Posted on 2004-09-28
6
Medium Priority
?
408 Views
Last Modified: 2012-06-21
I'm setting up exchange2003 in windows 2003 domain for 150 mailboxes. I have just been told I can't purchase the second exchange server license/hardware for the front end server. My original plan was frontend server for owa/ssl. Question: Can I run the OWA/SSL on my existing webserver? This windows server 2003 webserver sits in dmz and does not belong to domain.

Donnie
0
Comment
Question by:Donnie4572
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 12172306
OWA for Exchange 2003 must run on a member of the domain and it must be a full Exchange server. Therefore you will have to open port 443 to your backend Exchange server.
This is the way I do it for all of my clients - no one has given me a good reason to put an Exchange server in the DMZ. One Exchange MVP actually states that "There are no valid reasons for OWA/Exchange to be in the DMZ."

Simon.
0
 
LVL 12

Author Comment

by:Donnie4572
ID: 12172931
Thanks for reply. I'm new to exchange and need it to be as secure as possible.
So if the front end server is not in dmz then it's purpose is not security? What is the purpose of it being there? Why not just open 443 from internet to exchange?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12173064
A lot of people are under the illusion that putting all public facing services in the DMZ is the most secure option.
If the service is standalone then this is the case. However if the machine is a member of the domain then its best place is inside the firewall. To get a domain member to talk to the domain correctly requires a large number of holes being punched through the firewall and registry changes made to stop Exchange communicating on dynamic ports. This actually reduces the security of the inside network. An attacker gets in to the system in the DMZ then he can walk straight in to your production network from that compromised system.

My preference is to open just 2 ports for an Exchange system. 25 (SMTP) and 443 (HTTPS). I can monitor and control the traffic on these ports as required.

There are two main reasons for providing a frontend server, not one of them down to security.
1. If you have mutiple backend servers then the frontend sits in front of them, providing both OWA and SMTP with a single point of entry.
2. To take the load off the backend servers for OWA processing. With use of RPC/HTTP increasing the frontend server can be deployed to make use of that much easier.
With only 150 users, unless you have a very high number of remote users, using OWA and/or RPC/HTTP then a frontend server is overkill.

Simon.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Author Comment

by:Donnie4572
ID: 12173661
Yes we have a high number of remote users. Are you saying that a front end server in the dmz creates unsecure enviornment? could you tell me if there are any problems hosting other sites on the iis server with exchange/owa?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 1000 total points
ID: 12173807
There is no problem, other than security concerns - locking down a server for public access can break OWA.

For that reason I wouldn't like to host a public web site on the same machine as OWA. I usually push the public web site out to a host who has more bandwidth than you - unless it needs access to internal services (ecommerce db for example).

However I have put externally facing internal web sites on the same server, usually also contained within a secure site.

Simon.
0
 
LVL 12

Author Comment

by:Donnie4572
ID: 12173836
Thanks Simon, you have beenlots of help.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question