Solved

Exchange server 2003 Front End Configuration and IIS lockdown

Posted on 2007-03-29
5
1,509 Views
Last Modified: 2008-05-30
Greeting All:
We have two exchange 2003 sp2 servers on w2k3 server and 2 old exchange 5.5 servers in a windows 2000 Mixed mode with 2 winnt BDCs.  All mailboxes have been moved to the new exchange 2003 servers already.  I would like to install one exchange 2003 server-owa as front end for users to access our two backend exchange 2003 servers.  We have one checkpoint firewall in front of all servers.  Based on the link below, I have some questions. http://www.msexchange.org/tutorials/owa_exchange_server_2003.html
Do I need to run IIS lockdown to secure our front end server?(even if we filter out traffic through firewall).
Where do you get the IIS lockdown if we need one?
If I select "this is a front-end server" on new Server-owa using ESM>Server object>properties, is there any impact on mailboxes of our two backend 2003 servers and exchange 5.5 servers during the day?
Can we deselect the checkbox to make it a backend server again or it is a one-way street?
What are the major steps to implement the Front End server quickly without complicated registry modification?
Here is our network diagram.
internet -- Checkpoint Firewall ---(Exchange 2003, exchange 5.5, Server OWA, Two
w2k domain controllers & two winnt bdcs within the same hub)
For example(my version below, please correct it):
1) Enable a new exchange 2003 server and select the front end checkbox via ESM
2) Purchase SSL from Verisign
3) Enable SSL on new server-owa following instructions from Verisign
4) What ports need to be opened in firewall?
5) What changes need to be done in Domain controller and server-owa front end server?
6) What needs to be done on our existing two backend exchange 2003 servers
7) I assume we do not need to do anything on exchange 5.5 servers(They will be removed soon)
Thanks a lot for any inputs.
Charlie

0
Comment
Question by:chencharlie1
  • 3
  • 2
5 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 18818782
If you are running Exchange on Windows 2003, then you don't need the IIS Lockdown tool.

Enabling Frontend server option has no impact on the backend servers. You can select, deselect the option as many times as you like. Ensure that the frontend server is at the same or higher patch level as the backend servers and when it comes to updating the server, the frontend should always be done first.

No changes required to the domain.
Install the SSL certificate. The only port you need is 443 for HTTPS support. If you want the frontend to handle email as well, then you need port 25 as well.

You don't have to get an SSL certificate from Verisign unless you want to burn money. You can get certificates for US$20 which are just as good for OWA.

Simon.
0
 

Author Comment

by:chencharlie1
ID: 18819713
Thanks for your valuable recommendations.
I am just wondering why MSexchange.org link recommended so many registry changes.
 http://www.msexchange.org/tutorials/owa_exchange_server_2003.html
It looks like we can still add some mailboxes on the server-owa front end server.
Is this correct(I know it is not recommended by microsoft)?
I am just wondering if it is still working if we add some mailboxes in front end server.
Can people get in both ex2003 backend servers from our new server-owa server?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18820199
The quality of the articles on msexchange.org can be hit and miss.
That particular one is three years old, so predates at least one and possibly two service packs.

Lets put it this way, I deploy lots of frontend servers and I don't make any of the registry settings suggested in that article.
Most of those changes seem to be associated with putting the frontend server in a DMZ, which is widely considered to be a stupid idea.
The time out and other settings can be managed with the OWA admin tool, which is a free download from Microsoft.

Simon.
0
 

Author Comment

by:chencharlie1
ID: 18838414
Hi Simon,
Thanks for your great info.
I agree with you regarding microsoft's stupid idea.
One quick question.
If you have mailboxes on exchange server  2003 and you make it a frond-end server.
Can users still use their mailboxes as usual?
Or once you select it as a frond end server, they will lose all their email capability.
You need to deselect the front end server again in order to let them to use it.
Thanks again,
Charlie
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 18839297
You can't make a server a frontend server with mailboxes on it. You will have to move the mailboxes off the server first.

Simon.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question