Enabling 'Front End Server' option on Exchange Server 2003

I have a Front End Exchange server in our DMZ and a Back End Exchange server. Both are Exchange Server 2003, SP2. Front End is our gateway and OWA server.
I set up a second Exchange server in our DMZ that will be running a web based email/security software. We are having a problem opening the web page on this server and we may need to enable the option "This is a front-end server" on this new Exchange server.
My question is, will enabling this option affect mail flow to my servers or affect OWA in anyway?
LVL 1
moknAsked:
Who is Participating?
 
SembeeConnect With a Mentor Commented:
You can add and remove the option to make a server a frontend as much as you like. It has no effect on the other servers in the org. Do ensure that it is patched at the same level as the original servers. If the original servers went from SP1 to Sp2 then you need to do the same.

However - Exchange does not belong in the DMZ. Why have you put an Exchange server in the DMZ? How does that improve the security of your network? I would love to know because no one can answer that question - but I can give you plenty of reasons why it is a bad idea.

Simon.
0
 
cshepfamCommented:
I have a Front End and Back End Exchange setup in my network.


The Front End is in the DMZ so external users can connect via OWA and so the Front End will filter spam and relay the messages to my backend server which is on the private network.


Configuring your server to become a Front End server is a good idea if you are hosting your email.  It will relay messages back to your back end server.  


I also created a tutorial for if you ever wish to host your own Mail.


http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=239582&messageID=2330632
0
 
cshepfamCommented:
Also, download this.  It will be very handy for your future configurations:

http://technet.microsoft.com/en-us/library/aa996980.aspx
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
SembeeCommented:
"The Front End is in the DMZ so external users can connect via OWA and so the Front End will filter spam and relay the messages to my backend server which is on the private network."

What difference does it make having the frontend server in the DMZ? None whatsoever. It does nothing to enhance the security of the network, it only reduces it due to the number of holes that have to put in the firewall.

Simon.
0
 
cshepfamCommented:
To each their own.


Me personally, the way I have my setup is almost flawless.  All holes are patches.  Intrusion detection and prevention is in place.  Users can access their email from home.  Spam is filtered on my FrontEnd, etc.

It's actually a smart setup, but like i said, to each their own.
0
 
Network_Data_SupportCommented:
it depends if you are using ISA then you only need one port open and even if you havent you can encapsulate in ipsec
0
 
cshepfamCommented:
or you can go on your firewall and do a One to One Nat and not open anything.
0
 
kristinawCommented:
domain members have no business in a dmz. "to each their own", ok, but people here are just trying to help you out. you can accomplish everything you need with an FE by keeping it internal, and opening two ports on your FW, 25 and 443. If security is a concern, you are making your network less secure by putting it in a dmz, and then opening so many ports through the internal FW segment to your internal LAN. the 'best' way (i.e., most secure) to do this is to use a reverse proxy in the dmz (isa) and publish your owa there. the 2nd 'best' way is to keep the FE internal as stated, or the 'worst' way (to each their own), is to do as you're doing.

starting with Exchange 2007, FE (CAS server role) is no longer supported in a DMZ.

kris.
0
 
Network_Data_SupportCommented:
in anwser to your question you can do what you want to do it wont effect it you could even use them to load balance
0
 
cshepfamCommented:
once again..to each their own.



i had my setup in place for 3 years.  and its been perfect.



but of course you have those who will argue against it, but its a endless argument since everyone has a different viewpoint.


I could sit here and say PCs are better than Macs, then you'll have 100 people saying Macs are better, and another 100 saying PCs are better.


For the authors sake, I hope any of this information was useful to you, ignore the "sarcastic" remarks and attempts to degrade one's decision.


shep
0
 
cshepfamCommented:
But for argument sake, heres some articles from MICROSOFT, showing a Front End Exchange Server in a DMZ zone.  


Once again, to each their own.


http://technet.microsoft.com/en-us/library/aa996948.aspx
http://www.isaserver.org/articles/2004dmzfebe.html
0
 
SembeeCommented:
This is my take on it.
http://www.sembee.co.uk/archive/2006/02/23/7.aspx

The fact that Microsoft have written articles on how to do it, doesn't make it a good idea. It is a request I get frequently when I am working with my financial services client, usually silenced by the request for port 135 to be opened.

Simon.
0
 
moknAuthor Commented:
Hi. Remember me? I'm the author of the original question which had nothing to do with the DMZ. But I did enjoy reading this string of emails.
Now that the responses have stopped, I will go ahead and accept a solution. But, because or these responses, I will be following up with another question regarding using the reverse proxy in the DMZ. We are in the planning stages of upgrading our Exchange hardware and will now consider a new design based on what I've read here. Thanks again for all your responses.

M.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.