Solved

Enabling 'Front End Server' option on Exchange Server 2003

Posted on 2007-11-27
13
225 Views
Last Modified: 2010-03-06
I have a Front End Exchange server in our DMZ and a Back End Exchange server. Both are Exchange Server 2003, SP2. Front End is our gateway and OWA server.
I set up a second Exchange server in our DMZ that will be running a web based email/security software. We are having a problem opening the web page on this server and we may need to enable the option "This is a front-end server" on this new Exchange server.
My question is, will enabling this option affect mail flow to my servers or affect OWA in anyway?
0
Comment
Question by:mokn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +2
13 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 100 total points
ID: 20359796
You can add and remove the option to make a server a frontend as much as you like. It has no effect on the other servers in the org. Do ensure that it is patched at the same level as the original servers. If the original servers went from SP1 to Sp2 then you need to do the same.

However - Exchange does not belong in the DMZ. Why have you put an Exchange server in the DMZ? How does that improve the security of your network? I would love to know because no one can answer that question - but I can give you plenty of reasons why it is a bad idea.

Simon.
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20359892
I have a Front End and Back End Exchange setup in my network.


The Front End is in the DMZ so external users can connect via OWA and so the Front End will filter spam and relay the messages to my backend server which is on the private network.


Configuring your server to become a Front End server is a good idea if you are hosting your email.  It will relay messages back to your back end server.  


I also created a tutorial for if you ever wish to host your own Mail.


http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=239582&messageID=2330632
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20359901
Also, download this.  It will be very handy for your future configurations:

http://technet.microsoft.com/en-us/library/aa996980.aspx
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 104

Expert Comment

by:Sembee
ID: 20359915
"The Front End is in the DMZ so external users can connect via OWA and so the Front End will filter spam and relay the messages to my backend server which is on the private network."

What difference does it make having the frontend server in the DMZ? None whatsoever. It does nothing to enhance the security of the network, it only reduces it due to the number of holes that have to put in the firewall.

Simon.
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20359970
To each their own.


Me personally, the way I have my setup is almost flawless.  All holes are patches.  Intrusion detection and prevention is in place.  Users can access their email from home.  Spam is filtered on my FrontEnd, etc.

It's actually a smart setup, but like i said, to each their own.
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20359997
it depends if you are using ISA then you only need one port open and even if you havent you can encapsulate in ipsec
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20360017
or you can go on your firewall and do a One to One Nat and not open anything.
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 20360060
domain members have no business in a dmz. "to each their own", ok, but people here are just trying to help you out. you can accomplish everything you need with an FE by keeping it internal, and opening two ports on your FW, 25 and 443. If security is a concern, you are making your network less secure by putting it in a dmz, and then opening so many ports through the internal FW segment to your internal LAN. the 'best' way (i.e., most secure) to do this is to use a reverse proxy in the dmz (isa) and publish your owa there. the 2nd 'best' way is to keep the FE internal as stated, or the 'worst' way (to each their own), is to do as you're doing.

starting with Exchange 2007, FE (CAS server role) is no longer supported in a DMZ.

kris.
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20360114
in anwser to your question you can do what you want to do it wont effect it you could even use them to load balance
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20360320
once again..to each their own.



i had my setup in place for 3 years.  and its been perfect.



but of course you have those who will argue against it, but its a endless argument since everyone has a different viewpoint.


I could sit here and say PCs are better than Macs, then you'll have 100 people saying Macs are better, and another 100 saying PCs are better.


For the authors sake, I hope any of this information was useful to you, ignore the "sarcastic" remarks and attempts to degrade one's decision.


shep
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20360349
But for argument sake, heres some articles from MICROSOFT, showing a Front End Exchange Server in a DMZ zone.  


Once again, to each their own.


http://technet.microsoft.com/en-us/library/aa996948.aspx
http://www.isaserver.org/articles/2004dmzfebe.html
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20360626
This is my take on it.
http://www.sembee.co.uk/archive/2006/02/23/7.aspx

The fact that Microsoft have written articles on how to do it, doesn't make it a good idea. It is a request I get frequently when I am working with my financial services client, usually silenced by the request for port 135 to be opened.

Simon.
0
 
LVL 1

Author Comment

by:mokn
ID: 20366774
Hi. Remember me? I'm the author of the original question which had nothing to do with the DMZ. But I did enjoy reading this string of emails.
Now that the responses have stopped, I will go ahead and accept a solution. But, because or these responses, I will be following up with another question regarding using the reverse proxy in the DMZ. We are in the planning stages of upgrading our Exchange hardware and will now consider a new design based on what I've read here. Thanks again for all your responses.

M.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question