Solved

Enabling 'Front End Server' option on Exchange Server 2003

Posted on 2007-11-27
13
219 Views
Last Modified: 2010-03-06
I have a Front End Exchange server in our DMZ and a Back End Exchange server. Both are Exchange Server 2003, SP2. Front End is our gateway and OWA server.
I set up a second Exchange server in our DMZ that will be running a web based email/security software. We are having a problem opening the web page on this server and we may need to enable the option "This is a front-end server" on this new Exchange server.
My question is, will enabling this option affect mail flow to my servers or affect OWA in anyway?
0
Comment
Question by:mokn
  • 6
  • 3
  • 2
  • +2
13 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 100 total points
ID: 20359796
You can add and remove the option to make a server a frontend as much as you like. It has no effect on the other servers in the org. Do ensure that it is patched at the same level as the original servers. If the original servers went from SP1 to Sp2 then you need to do the same.

However - Exchange does not belong in the DMZ. Why have you put an Exchange server in the DMZ? How does that improve the security of your network? I would love to know because no one can answer that question - but I can give you plenty of reasons why it is a bad idea.

Simon.
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20359892
I have a Front End and Back End Exchange setup in my network.


The Front End is in the DMZ so external users can connect via OWA and so the Front End will filter spam and relay the messages to my backend server which is on the private network.


Configuring your server to become a Front End server is a good idea if you are hosting your email.  It will relay messages back to your back end server.  


I also created a tutorial for if you ever wish to host your own Mail.


http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=239582&messageID=2330632
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20359901
Also, download this.  It will be very handy for your future configurations:

http://technet.microsoft.com/en-us/library/aa996980.aspx
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20359915
"The Front End is in the DMZ so external users can connect via OWA and so the Front End will filter spam and relay the messages to my backend server which is on the private network."

What difference does it make having the frontend server in the DMZ? None whatsoever. It does nothing to enhance the security of the network, it only reduces it due to the number of holes that have to put in the firewall.

Simon.
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20359970
To each their own.


Me personally, the way I have my setup is almost flawless.  All holes are patches.  Intrusion detection and prevention is in place.  Users can access their email from home.  Spam is filtered on my FrontEnd, etc.

It's actually a smart setup, but like i said, to each their own.
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20359997
it depends if you are using ISA then you only need one port open and even if you havent you can encapsulate in ipsec
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 
LVL 13

Expert Comment

by:cshepfam
ID: 20360017
or you can go on your firewall and do a One to One Nat and not open anything.
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 20360060
domain members have no business in a dmz. "to each their own", ok, but people here are just trying to help you out. you can accomplish everything you need with an FE by keeping it internal, and opening two ports on your FW, 25 and 443. If security is a concern, you are making your network less secure by putting it in a dmz, and then opening so many ports through the internal FW segment to your internal LAN. the 'best' way (i.e., most secure) to do this is to use a reverse proxy in the dmz (isa) and publish your owa there. the 2nd 'best' way is to keep the FE internal as stated, or the 'worst' way (to each their own), is to do as you're doing.

starting with Exchange 2007, FE (CAS server role) is no longer supported in a DMZ.

kris.
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20360114
in anwser to your question you can do what you want to do it wont effect it you could even use them to load balance
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20360320
once again..to each their own.



i had my setup in place for 3 years.  and its been perfect.



but of course you have those who will argue against it, but its a endless argument since everyone has a different viewpoint.


I could sit here and say PCs are better than Macs, then you'll have 100 people saying Macs are better, and another 100 saying PCs are better.


For the authors sake, I hope any of this information was useful to you, ignore the "sarcastic" remarks and attempts to degrade one's decision.


shep
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20360349
But for argument sake, heres some articles from MICROSOFT, showing a Front End Exchange Server in a DMZ zone.  


Once again, to each their own.


http://technet.microsoft.com/en-us/library/aa996948.aspx
http://www.isaserver.org/articles/2004dmzfebe.html
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20360626
This is my take on it.
http://www.sembee.co.uk/archive/2006/02/23/7.aspx

The fact that Microsoft have written articles on how to do it, doesn't make it a good idea. It is a request I get frequently when I am working with my financial services client, usually silenced by the request for port 135 to be opened.

Simon.
0
 
LVL 1

Author Comment

by:mokn
ID: 20366774
Hi. Remember me? I'm the author of the original question which had nothing to do with the DMZ. But I did enjoy reading this string of emails.
Now that the responses have stopped, I will go ahead and accept a solution. But, because or these responses, I will be following up with another question regarding using the reverse proxy in the DMZ. We are in the planning stages of upgrading our Exchange hardware and will now consider a new design based on what I've read here. Thanks again for all your responses.

M.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Familiarize people with the process of utilizing SQL Server views from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Access…
how to add IIS SMTP to handle application/Scanner relays into office 365.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now