Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 245
  • Last Modified:

Moving to Exchange 2k3 and Need some help

I currently have Exchange 2000, but am in the process of moving to Exchange 2k3. My current setup is as followed:

In DMZ I have a Linux box accepting my mail and forwarding into my internal network to Exchange. Then Exchange sends out of a different IP address (than the Linux box). I am not really sure why it is setup this way but when I got here that is what was working.

I want to add a FE Exchange 2003 server and upgrade my current Exchange 2000 box to 2003. I have read the MS technotes, but I wanted to see if anyone had any tips, tricks or ideas to get this done. As of right now I am thinking about leaving the incoming mail so that it comes from the Linux box (not broke don't fix it) and then add a FE to my DMZ so users can use, OWA and OMA. I have gone back and forth with the idea of using MS ISA 2004 but have never used it and really don't understand what it is going to do different from my current firewall. Any help would be greatly appreciated.

Thanks,
JP

0
vtjp1
Asked:
vtjp1
  • 5
  • 5
1 Solution
 
SembeeCommented:
Exchange in a DMZ? Bad idea. Go and read my blog for reasons why: http://www.sembee.co.uk/archive/2006/02/23/3.aspx

Someone is a little paranoid about security. How confident are you about using Linux? If not, then dump the Linux box and use the ISA machine in the DMZ. Or simplify matters and have everything coming in direct.

Despite what some might say, I don't consider ISA to be a firewall. It is a proxy device. It can sit in the DMZ and act as a go between for the Exchange server and the Internet. I don't deploy an ISA very often, most clients don't need the added complexity. Usually everything hits the Exchange server on production direct.
The few times I have deployed ISA it has been for a finance company who have more security staff than IT.

Either way, that kind of deployment will not affect how your Exchange upgrade is done. If you do a swing migration then you can do it step by step without affecting the users. Email comes in to any Exchange server in the Exchange org and Exchange will route the email to the correct server.

Simon.
0
 
AmitspeedstarCommented:

Regarding the upgrading of exch2000 to 2003 , follow the article below on technet .

http://support.microsoft.com/kb/327304/en-us

Now as for ur other problem , if u want to use the exch as a FE , then install another exch2003 and do not configure any mailboxes and recipient policies on it , after this promote the server as a FE . u should know hoe 2 do it .

Regarding the firewall then it is advisable to use isa server 2004 with ur exch FE and create a DMZ so that users who use OWA OMA will hit the FE and not ur BE on which the mailboxes and data is thr .

for using the isa 2004 with exch 2003 follow the article below .

http://support.microsoft.com/kb/837354/en-us

This article contains links to various documents that u can help u to use isa 2004 in different senarios and confugurations . Or what u cab do is go to the isa server home page on the microsoft website and u will find more details regarding this.

I hope this will solve ur problem .as after u configure isa u no longer need the linux box any more .


Amit.
0
 
vtjp1Author Commented:
Sembee,
I read your blog and had a couple of questions.
1. If I only have one BE server there is really no reason to have the front end server is there? If, so why?
2. Can I load ISA 2004 on to a server that I currently have running in the DMZ. The server I am talking about only runs one webpage that is very static and really does nothing.

Thanks
JP
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
SembeeCommented:
There are two main reasons for deploying a frontend server.

1. Load - if you have heavy remote use then a frontend can take load off the backend server.
2. Single point of entry. If you have multiple backend servers then a frontend provides a single point for OWA, SMTP traffic etc to come in.

If you already have a server in the DMZ which is not a member of the domain is basically doing nothing, then it sounds like an ideal candidate for ISA.

Simon.
0
 
vtjp1Author Commented:
Sembee you have been great one last thing.
 If I don't use ISA will the BE have to do the processing of the SSL load? I am just trying to not have to pay for extra licenses, and hardware. I only have one BE so I was thinking ISA in the DMZ with Exchange 2003 BE in the internal network. But I want to make sure ISA would take the load of the SSL, before I went forward with that design.

JP
0
 
SembeeCommented:
How many users are there?
How many are remote?

It might be one of those things where you try using the backend for everything, then introduce a frontend and/or an ISA server if it is too much. It is very easy to slot either in without causing the users too much hassle. Make sure that you use a commercial certificate that can be easily moved around, and use a generic name for the SSL certificate. Instead of servername.domain.com use owa.domain.com or mail.domain.com so that it is a simple DNS tweak to move the name to another machine.

Simon.
0
 
vtjp1Author Commented:
Sembee,
Thanks you have been great. I have about 100 users and about 30 of them will be accessing remotely. I was going to use ISA and just a Backend server. Do you know if the ISA server would handle the SSL processes or would the BE in that setup? I am just worried about putting the extra stress on the BE.
0
 
SembeeCommented:
That is peanuts.

I wouldn't bother with offloading SSL on that sort of load. I have sites with 100 users on SSL going straight to the backend server and it is fine. I have recommended a frontend to the client, but apart from the 9am rush the server copes fine.

Remember Exchange has been built to take thousands of users. Your 100 users 30 remote is a very light load.

Simon.
0
 
vtjp1Author Commented:
Simon,
Do you have a email address I can reach you at if I come across any other questions? Thanks for all of your help.
JP
0
 
SembeeCommented:
Problem solving by email is not allowed under the rules of EE.
http://www.experts-exchange.com/help.jsp#hi99

Simon.
0
 
vtjp1Author Commented:
My bad I didn't know. Sorry about that.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now