• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 191
  • Last Modified:

Searching for user addresses using LDAP in exchange 2003 Front-End/Back-End Architecture

Hi
As the topic suggests i have a Front-End/Back-end architecture with Exchange 2003,FE being in the DMZ area.Problem is our users using Outlook outside of our corporate LAN suffer from being unable to search e-mail addresses.I dont want to export Global Address List and import it to every users machine so i want them to be able to search using LDAP.I wonder how would be the configuration of Outlook.I added Directory service in outlook and used my FE server as the LDAP server and a Search Base like "dc=x,dc=y,dc=z",as our domain is x.y.z domain.
Any help is highly appreciated.
0
beluga_u
Asked:
beluga_u
  • 2
  • 2
  • 2
  • +1
2 Solutions
 
aa230002Commented:
Front-end is not recommended in DMZ, any machine which is a member of the domain is never recommended to be in DMZ as you will have to open all ports on your internal firewall for your front-end server to communicate with Back-end Exchange server and DCs and GCs.

Please have a look at this article from Sembee -->

http://www.sembee.co.uk/archive/2006/02/23/3.aspx

Thanks,
Amit Aggarwal.
0
 
xqsCommented:
It's not necessarily true to open all ports on your internal firewall, but it takes an awefull lot of tuning to configure it correctly and it's not recommended indeed. The point here is that you're trying to fix something that should work differently. The fix that you're trying to implement isn't really secure either. I would not want my companies addressbook available on the internet like that!
Try looking at a more secure and reliable environment and implement Exchange the way it is intended to be running. You might want to look into running ISA and configure rpc over http that will support addressbook searches etc.
www.isaserver.org has some pretty good examples that will help you architecting a more secure and reliable solution for your company.
0
 
icky2000Commented:
It is worth pointing out here that there is a lot of debate about whether or not FE servers should be inside or outside the firewall. When they sit outside you have to open more ports than you would prefer on your firewall. However, some admins think of the DMZ as a true barrier and don't want even things like SMTP OR HTTP going through the firewall. Intelligent admins will disagree on this one. Personally, I agree with Amit.

Since your FE is already outside the firewall, why not use RPC over HTTPS and let your users connect with a MAPI connection that includes access to the GAL without a special configuration?

Finally, note that your FE server cannot be an LDAP server for your clients unless it is also at least an AD Global Catalog server and if it is, it really, really shouldn't be sitting in your DMZ.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
beluga_uAuthor Commented:
icky what do you mean by the mapi connection?you mean OWA?
0
 
aa230002Commented:
MAPI connection means Microsoft Outlook, connecting to Exchange on HTTP or HTTPS for RPC requests. In Exchange server 2003, you can tunnel all your RPC traffic coming from Microsoft Outlook (MAPI) client to HTTP.
Here is more info on this -->

http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/91dc76e8-e60f-4f95-a32f-d4de63b263ac.mspx?mfr=true

Thanks,
Amit Aggarwal.
0
 
beluga_uAuthor Commented:
aa
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/1bdd45cc-e141-4901-a686-ec2e6482217b.mspx?mfr=true

this link helps me more about my scenario,yeah tunneling rpc traffic via http or https is fine but i still wonder if my users gonna be able to search the GAL (Global Address List)?Another question is this,will users who used to connect my front-end server using Outlook POP3 connection have to change their Outlook configurations after configuring RPC over HTTP? And last one, how should be the outlook configuration for users trying to connect through the internet?Adding new e-mail accounts in new profiles, what server type to choose to use (Microsoft Exchange Server or POP3) after configuring the servers to use RPC over HTTP?
Thanx in advance
0
 
icky2000Commented:
If you use RPC over HTTP/HTTPS, they will see the GAL automatically, no special configuration required. Yes, the POP3 people will have to reconfigure their Outlook. They would choose Exchange Server in that configuration, not POP3.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now