Solved

Moving to Exchange 2k3 and Need some help

Posted on 2006-06-13
11
235 Views
Last Modified: 2010-03-06
I currently have Exchange 2000, but am in the process of moving to Exchange 2k3. My current setup is as followed:

In DMZ I have a Linux box accepting my mail and forwarding into my internal network to Exchange. Then Exchange sends out of a different IP address (than the Linux box). I am not really sure why it is setup this way but when I got here that is what was working.

I want to add a FE Exchange 2003 server and upgrade my current Exchange 2000 box to 2003. I have read the MS technotes, but I wanted to see if anyone had any tips, tricks or ideas to get this done. As of right now I am thinking about leaving the incoming mail so that it comes from the Linux box (not broke don't fix it) and then add a FE to my DMZ so users can use, OWA and OMA. I have gone back and forth with the idea of using MS ISA 2004 but have never used it and really don't understand what it is going to do different from my current firewall. Any help would be greatly appreciated.

Thanks,
JP

0
Comment
Question by:vtjp1
  • 5
  • 5
11 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 16898376
Exchange in a DMZ? Bad idea. Go and read my blog for reasons why: http://www.sembee.co.uk/archive/2006/02/23/3.aspx

Someone is a little paranoid about security. How confident are you about using Linux? If not, then dump the Linux box and use the ISA machine in the DMZ. Or simplify matters and have everything coming in direct.

Despite what some might say, I don't consider ISA to be a firewall. It is a proxy device. It can sit in the DMZ and act as a go between for the Exchange server and the Internet. I don't deploy an ISA very often, most clients don't need the added complexity. Usually everything hits the Exchange server on production direct.
The few times I have deployed ISA it has been for a finance company who have more security staff than IT.

Either way, that kind of deployment will not affect how your Exchange upgrade is done. If you do a swing migration then you can do it step by step without affecting the users. Email comes in to any Exchange server in the Exchange org and Exchange will route the email to the correct server.

Simon.
0
 
LVL 5

Expert Comment

by:Amitspeedstar
ID: 16903176

Regarding the upgrading of exch2000 to 2003 , follow the article below on technet .

http://support.microsoft.com/kb/327304/en-us

Now as for ur other problem , if u want to use the exch as a FE , then install another exch2003 and do not configure any mailboxes and recipient policies on it , after this promote the server as a FE . u should know hoe 2 do it .

Regarding the firewall then it is advisable to use isa server 2004 with ur exch FE and create a DMZ so that users who use OWA OMA will hit the FE and not ur BE on which the mailboxes and data is thr .

for using the isa 2004 with exch 2003 follow the article below .

http://support.microsoft.com/kb/837354/en-us

This article contains links to various documents that u can help u to use isa 2004 in different senarios and confugurations . Or what u cab do is go to the isa server home page on the microsoft website and u will find more details regarding this.

I hope this will solve ur problem .as after u configure isa u no longer need the linux box any more .


Amit.
0
 

Author Comment

by:vtjp1
ID: 16903814
Sembee,
I read your blog and had a couple of questions.
1. If I only have one BE server there is really no reason to have the front end server is there? If, so why?
2. Can I load ISA 2004 on to a server that I currently have running in the DMZ. The server I am talking about only runs one webpage that is very static and really does nothing.

Thanks
JP
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16907562
There are two main reasons for deploying a frontend server.

1. Load - if you have heavy remote use then a frontend can take load off the backend server.
2. Single point of entry. If you have multiple backend servers then a frontend provides a single point for OWA, SMTP traffic etc to come in.

If you already have a server in the DMZ which is not a member of the domain is basically doing nothing, then it sounds like an ideal candidate for ISA.

Simon.
0
 

Author Comment

by:vtjp1
ID: 16911179
Sembee you have been great one last thing.
 If I don't use ISA will the BE have to do the processing of the SSL load? I am just trying to not have to pay for extra licenses, and hardware. I only have one BE so I was thinking ISA in the DMZ with Exchange 2003 BE in the internal network. But I want to make sure ISA would take the load of the SSL, before I went forward with that design.

JP
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 104

Expert Comment

by:Sembee
ID: 16912146
How many users are there?
How many are remote?

It might be one of those things where you try using the backend for everything, then introduce a frontend and/or an ISA server if it is too much. It is very easy to slot either in without causing the users too much hassle. Make sure that you use a commercial certificate that can be easily moved around, and use a generic name for the SSL certificate. Instead of servername.domain.com use owa.domain.com or mail.domain.com so that it is a simple DNS tweak to move the name to another machine.

Simon.
0
 

Author Comment

by:vtjp1
ID: 16912272
Sembee,
Thanks you have been great. I have about 100 users and about 30 of them will be accessing remotely. I was going to use ISA and just a Backend server. Do you know if the ISA server would handle the SSL processes or would the BE in that setup? I am just worried about putting the extra stress on the BE.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 16913648
That is peanuts.

I wouldn't bother with offloading SSL on that sort of load. I have sites with 100 users on SSL going straight to the backend server and it is fine. I have recommended a frontend to the client, but apart from the 9am rush the server copes fine.

Remember Exchange has been built to take thousands of users. Your 100 users 30 remote is a very light load.

Simon.
0
 

Author Comment

by:vtjp1
ID: 16914109
Simon,
Do you have a email address I can reach you at if I come across any other questions? Thanks for all of your help.
JP
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16914300
Problem solving by email is not allowed under the rules of EE.
http://www.experts-exchange.com/help.jsp#hi99

Simon.
0
 

Author Comment

by:vtjp1
ID: 16914342
My bad I didn't know. Sorry about that.
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
"Migrate" an SMTP relay receive connector to a new server using info from an old server.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now