Solved

Exchange server 2003 Front End Configuration and IIS lockdown

Posted on 2007-03-29
5
1,501 Views
Last Modified: 2008-05-30
Greeting All:
We have two exchange 2003 sp2 servers on w2k3 server and 2 old exchange 5.5 servers in a windows 2000 Mixed mode with 2 winnt BDCs.  All mailboxes have been moved to the new exchange 2003 servers already.  I would like to install one exchange 2003 server-owa as front end for users to access our two backend exchange 2003 servers.  We have one checkpoint firewall in front of all servers.  Based on the link below, I have some questions. http://www.msexchange.org/tutorials/owa_exchange_server_2003.html
Do I need to run IIS lockdown to secure our front end server?(even if we filter out traffic through firewall).
Where do you get the IIS lockdown if we need one?
If I select "this is a front-end server" on new Server-owa using ESM>Server object>properties, is there any impact on mailboxes of our two backend 2003 servers and exchange 5.5 servers during the day?
Can we deselect the checkbox to make it a backend server again or it is a one-way street?
What are the major steps to implement the Front End server quickly without complicated registry modification?
Here is our network diagram.
internet -- Checkpoint Firewall ---(Exchange 2003, exchange 5.5, Server OWA, Two
w2k domain controllers & two winnt bdcs within the same hub)
For example(my version below, please correct it):
1) Enable a new exchange 2003 server and select the front end checkbox via ESM
2) Purchase SSL from Verisign
3) Enable SSL on new server-owa following instructions from Verisign
4) What ports need to be opened in firewall?
5) What changes need to be done in Domain controller and server-owa front end server?
6) What needs to be done on our existing two backend exchange 2003 servers
7) I assume we do not need to do anything on exchange 5.5 servers(They will be removed soon)
Thanks a lot for any inputs.
Charlie

0
Comment
Question by:chencharlie1
  • 3
  • 2
5 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 18818782
If you are running Exchange on Windows 2003, then you don't need the IIS Lockdown tool.

Enabling Frontend server option has no impact on the backend servers. You can select, deselect the option as many times as you like. Ensure that the frontend server is at the same or higher patch level as the backend servers and when it comes to updating the server, the frontend should always be done first.

No changes required to the domain.
Install the SSL certificate. The only port you need is 443 for HTTPS support. If you want the frontend to handle email as well, then you need port 25 as well.

You don't have to get an SSL certificate from Verisign unless you want to burn money. You can get certificates for US$20 which are just as good for OWA.

Simon.
0
 

Author Comment

by:chencharlie1
ID: 18819713
Thanks for your valuable recommendations.
I am just wondering why MSexchange.org link recommended so many registry changes.
 http://www.msexchange.org/tutorials/owa_exchange_server_2003.html
It looks like we can still add some mailboxes on the server-owa front end server.
Is this correct(I know it is not recommended by microsoft)?
I am just wondering if it is still working if we add some mailboxes in front end server.
Can people get in both ex2003 backend servers from our new server-owa server?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18820199
The quality of the articles on msexchange.org can be hit and miss.
That particular one is three years old, so predates at least one and possibly two service packs.

Lets put it this way, I deploy lots of frontend servers and I don't make any of the registry settings suggested in that article.
Most of those changes seem to be associated with putting the frontend server in a DMZ, which is widely considered to be a stupid idea.
The time out and other settings can be managed with the OWA admin tool, which is a free download from Microsoft.

Simon.
0
 

Author Comment

by:chencharlie1
ID: 18838414
Hi Simon,
Thanks for your great info.
I agree with you regarding microsoft's stupid idea.
One quick question.
If you have mailboxes on exchange server  2003 and you make it a frond-end server.
Can users still use their mailboxes as usual?
Or once you select it as a frond end server, they will lose all their email capability.
You need to deselect the front end server again in order to let them to use it.
Thanks again,
Charlie
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 18839297
You can't make a server a frontend server with mailboxes on it. You will have to move the mailboxes off the server first.

Simon.
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now