Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 684
  • Last Modified:

Introducing front end server to the existing exchange 2003 environment

Hi,

I am trying to introduce a front-end server to the existing exchange 2003 environment. Existing environment is as follows (everything is in the corporate network, not dmz):
- one exchange server 2003 sp2 enterprise edition holding public folder store and three mailbox stores with no more than 200 mailboxes all together
- smtp gateway server (windows 2003 sp2) which is the only one that has smtp port open through the PIX firewall. so all incoming and outgoing emails go via the smtp server that is published to outside world
- OWA and active-sync occurs directly with the exchange server. OWA uses SSL

I want to implement a front end server in the DMZ which will be used for mobile phone (active-sync) syncronization and OWA. I want all the other email traffic to continue to go via the smtp server (i plan to move this smtp server in the DMZ also sometime soon).

I have read a lot of documentation on steps involved for implementing front end server, but i still have some concerns which i'm not too clear about:
1. They say implement a front end server in the internal network first (to avoid firewall port issues) and then check the box "this is front end server" then restart. Do i need to worry about my regular mail traffic to suddenly start going via the front end server? Remember, i don't want to affect my regular mail traffic while i'm introducing the front end server
2. i need to enable pop3, smtp, and IMAP on this server so the different types of mobile phones can synchronize with the corporate exchange environment. Is that possible? and does that mean that i need to mount at least one mailbox store on the front end server, since i'm using smtp on this?
3. the smtp component on the front end needs to require authentication, so that mobile phones can authenticate first before it can relay mail via the FE server. How do i enable such authentication without affecting the other existing functionality of the front end?

Any help would be greatly appreciated

Thank you

AlwaysAlert
0
AlwaysAlert
Asked:
AlwaysAlert
  • 4
  • 2
3 Solutions
 
tigermattCommented:
First of all, the DMZ isn't really the place to put a frontend E2003 or SMTP server.

I assume your current SMTP gateway is separate to the Exchange organization and simply passes email for delivery to Exchange's local DNS address? The same for sending out? An SMTP connector sends the mail to the SMTP gateway's internal DNS address? If this is the case, introducing a front-end server shouldn't cause an issue.

Since your mail is coming in on port 25, you'll need to set the SMTP virtual server up to use a different port or get another external IP address from your ISP (assuming your router can handle this) to serve the PDA clients. Once this is done, you can simply remove the "Anonymous authentication" option on the SMTP virtual server on the front end, which means you have to authenticate to relay. You will also need to enable the option to "Allow all users who successfully authenticate to relay" option on this VS for the mobile phones.
0
 
AlwaysAlertAuthor Commented:
Thanks for your prompt response. Isnt' DMZ one of the solutions that even Microsoft talks about? I thought placing it there would help secure the internal corporate network, since a hack attack or virus outbreak on the FE server would not pose a threat to the internal network. I do agree however, that there's not much use of placing the smtp in the DMZ, so i'll scratch that.
You are correct in assuming the existing environment with the smtp servers. Do i make the FE server a member of the group "Exchange Domain Servers" just like the back end exchange server? Again, any of those steps are not going to disrupt the existing traffic flow, correct? You can see how careful i'm trying to be :)

Always Alert
0
 
tigermattCommented:
You found put the FE in the DMZ I suppose, but I'm sure I've seen somewhere that that's a bad idea...

Simply install Exchange onto the server and it should sort everything else out. As I said before, it seems like you have your mail going out through a smart host, so provided you don't change port forwarding so incoming mail still goes through your SMTP gateway and you don't fiddle with SMTP connector settings, then mail flow shouldn't be distrupted.

You will have to be careful with SMTP on the FE, make sure the SMTP connector there (which should come across from the other server) is setup exactly the same. Also check authentication to ensure your FE isn't an open relay, and remember it'll need a different WAN IP address to run on port 25, or use port 26 or something like that. This service can test for an open relay, free account required: http://www.abuse.net/relay.html

But, do make sure you have a good backup of your servers before starting. No one knows your network better than you!

-tigermatt
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
AlwaysAlertAuthor Commented:
When i bring up the front end server, i install it as a regular exchange server with the following options:
1. Second exchange server
2. In the same organization as the first (backend) exchange server
3. After installation is complete i check the front end check box
4. Uninstall/Dismount services and information and public folder stores, etc
5. Restart the machine

Am i missing any major steps?

If i need smtp functionality (esmtp/authentication) for a few mobile phones to relay through the front end, then do i leave at least one information store mounted?

The backend server is enterprise edition (SP2), am i okay using a Front End server as Standard Edition (SP2) for the requirements that i have?

AlwaysAlert
0
 
tigermattCommented:
Hi AlwaysAlert,

I suggest you keep the stores mounted, even though there is nothing in them. You will run into problems if you dismount a store or the Exchange IS service.

Other than that, I can't see any other problems with your plan. I would suggest restarting after configuring Windows, installing Exchange, bringing up as an FE etc. just to make sure everything gets applied. Provided you bring it up as a frontend server and don't change incoming port forwarding/MX records, nor do you edit smart hosts for outgoing mail, you shouldn't get any difficulties.

The only advantage over Enterprise edition is obviously the limit on database size and number of databases is not present. You can certainly install Standard edition on an FE, both Enterprise and Standard can co-exist in an Exchange organization with no problems whatsoever.

-tigermatt
0
 
tigermattCommented:
Hi, Thanks for the points. Can you confirm why you graded with a 'B'?
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now