Solved

QWA Webserver

Posted on 2004-09-28
6
400 Views
Last Modified: 2012-06-21
I'm setting up exchange2003 in windows 2003 domain for 150 mailboxes. I have just been told I can't purchase the second exchange server license/hardware for the front end server. My original plan was frontend server for owa/ssl. Question: Can I run the OWA/SSL on my existing webserver? This windows server 2003 webserver sits in dmz and does not belong to domain.

Donnie
0
Comment
Question by:Donnie4572
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 12172306
OWA for Exchange 2003 must run on a member of the domain and it must be a full Exchange server. Therefore you will have to open port 443 to your backend Exchange server.
This is the way I do it for all of my clients - no one has given me a good reason to put an Exchange server in the DMZ. One Exchange MVP actually states that "There are no valid reasons for OWA/Exchange to be in the DMZ."

Simon.
0
 
LVL 12

Author Comment

by:Donnie4572
ID: 12172931
Thanks for reply. I'm new to exchange and need it to be as secure as possible.
So if the front end server is not in dmz then it's purpose is not security? What is the purpose of it being there? Why not just open 443 from internet to exchange?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12173064
A lot of people are under the illusion that putting all public facing services in the DMZ is the most secure option.
If the service is standalone then this is the case. However if the machine is a member of the domain then its best place is inside the firewall. To get a domain member to talk to the domain correctly requires a large number of holes being punched through the firewall and registry changes made to stop Exchange communicating on dynamic ports. This actually reduces the security of the inside network. An attacker gets in to the system in the DMZ then he can walk straight in to your production network from that compromised system.

My preference is to open just 2 ports for an Exchange system. 25 (SMTP) and 443 (HTTPS). I can monitor and control the traffic on these ports as required.

There are two main reasons for providing a frontend server, not one of them down to security.
1. If you have mutiple backend servers then the frontend sits in front of them, providing both OWA and SMTP with a single point of entry.
2. To take the load off the backend servers for OWA processing. With use of RPC/HTTP increasing the frontend server can be deployed to make use of that much easier.
With only 150 users, unless you have a very high number of remote users, using OWA and/or RPC/HTTP then a frontend server is overkill.

Simon.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 12

Author Comment

by:Donnie4572
ID: 12173661
Yes we have a high number of remote users. Are you saying that a front end server in the dmz creates unsecure enviornment? could you tell me if there are any problems hosting other sites on the iis server with exchange/owa?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 12173807
There is no problem, other than security concerns - locking down a server for public access can break OWA.

For that reason I wouldn't like to host a public web site on the same machine as OWA. I usually push the public web site out to a host who has more bandwidth than you - unless it needs access to internal services (ecommerce db for example).

However I have put externally facing internal web sites on the same server, usually also contained within a secure site.

Simon.
0
 
LVL 12

Author Comment

by:Donnie4572
ID: 12173836
Thanks Simon, you have beenlots of help.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question