Introducing front end server to the existing exchange 2003 environment

Posted on 2007-09-28
Last Modified: 2008-01-09

I am trying to introduce a front-end server to the existing exchange 2003 environment. Existing environment is as follows (everything is in the corporate network, not dmz):
- one exchange server 2003 sp2 enterprise edition holding public folder store and three mailbox stores with no more than 200 mailboxes all together
- smtp gateway server (windows 2003 sp2) which is the only one that has smtp port open through the PIX firewall. so all incoming and outgoing emails go via the smtp server that is published to outside world
- OWA and active-sync occurs directly with the exchange server. OWA uses SSL

I want to implement a front end server in the DMZ which will be used for mobile phone (active-sync) syncronization and OWA. I want all the other email traffic to continue to go via the smtp server (i plan to move this smtp server in the DMZ also sometime soon).

I have read a lot of documentation on steps involved for implementing front end server, but i still have some concerns which i'm not too clear about:
1. They say implement a front end server in the internal network first (to avoid firewall port issues) and then check the box "this is front end server" then restart. Do i need to worry about my regular mail traffic to suddenly start going via the front end server? Remember, i don't want to affect my regular mail traffic while i'm introducing the front end server
2. i need to enable pop3, smtp, and IMAP on this server so the different types of mobile phones can synchronize with the corporate exchange environment. Is that possible? and does that mean that i need to mount at least one mailbox store on the front end server, since i'm using smtp on this?
3. the smtp component on the front end needs to require authentication, so that mobile phones can authenticate first before it can relay mail via the FE server. How do i enable such authentication without affecting the other existing functionality of the front end?

Any help would be greatly appreciated

Thank you

Question by:AlwaysAlert
    LVL 58

    Assisted Solution

    First of all, the DMZ isn't really the place to put a frontend E2003 or SMTP server.

    I assume your current SMTP gateway is separate to the Exchange organization and simply passes email for delivery to Exchange's local DNS address? The same for sending out? An SMTP connector sends the mail to the SMTP gateway's internal DNS address? If this is the case, introducing a front-end server shouldn't cause an issue.

    Since your mail is coming in on port 25, you'll need to set the SMTP virtual server up to use a different port or get another external IP address from your ISP (assuming your router can handle this) to serve the PDA clients. Once this is done, you can simply remove the "Anonymous authentication" option on the SMTP virtual server on the front end, which means you have to authenticate to relay. You will also need to enable the option to "Allow all users who successfully authenticate to relay" option on this VS for the mobile phones.

    Author Comment

    Thanks for your prompt response. Isnt' DMZ one of the solutions that even Microsoft talks about? I thought placing it there would help secure the internal corporate network, since a hack attack or virus outbreak on the FE server would not pose a threat to the internal network. I do agree however, that there's not much use of placing the smtp in the DMZ, so i'll scratch that.
    You are correct in assuming the existing environment with the smtp servers. Do i make the FE server a member of the group "Exchange Domain Servers" just like the back end exchange server? Again, any of those steps are not going to disrupt the existing traffic flow, correct? You can see how careful i'm trying to be :)

    Always Alert
    LVL 58

    Assisted Solution

    You found put the FE in the DMZ I suppose, but I'm sure I've seen somewhere that that's a bad idea...

    Simply install Exchange onto the server and it should sort everything else out. As I said before, it seems like you have your mail going out through a smart host, so provided you don't change port forwarding so incoming mail still goes through your SMTP gateway and you don't fiddle with SMTP connector settings, then mail flow shouldn't be distrupted.

    You will have to be careful with SMTP on the FE, make sure the SMTP connector there (which should come across from the other server) is setup exactly the same. Also check authentication to ensure your FE isn't an open relay, and remember it'll need a different WAN IP address to run on port 25, or use port 26 or something like that. This service can test for an open relay, free account required:

    But, do make sure you have a good backup of your servers before starting. No one knows your network better than you!


    Author Comment

    When i bring up the front end server, i install it as a regular exchange server with the following options:
    1. Second exchange server
    2. In the same organization as the first (backend) exchange server
    3. After installation is complete i check the front end check box
    4. Uninstall/Dismount services and information and public folder stores, etc
    5. Restart the machine

    Am i missing any major steps?

    If i need smtp functionality (esmtp/authentication) for a few mobile phones to relay through the front end, then do i leave at least one information store mounted?

    The backend server is enterprise edition (SP2), am i okay using a Front End server as Standard Edition (SP2) for the requirements that i have?

    LVL 58

    Accepted Solution

    Hi AlwaysAlert,

    I suggest you keep the stores mounted, even though there is nothing in them. You will run into problems if you dismount a store or the Exchange IS service.

    Other than that, I can't see any other problems with your plan. I would suggest restarting after configuring Windows, installing Exchange, bringing up as an FE etc. just to make sure everything gets applied. Provided you bring it up as a frontend server and don't change incoming port forwarding/MX records, nor do you edit smart hosts for outgoing mail, you shouldn't get any difficulties.

    The only advantage over Enterprise edition is obviously the limit on database size and number of databases is not present. You can certainly install Standard edition on an FE, both Enterprise and Standard can co-exist in an Exchange organization with no problems whatsoever.

    LVL 58

    Expert Comment

    Hi, Thanks for the points. Can you confirm why you graded with a 'B'?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Are your corporate email signatures appalling?

    Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
    The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now