Enabling 'Front End Server' option on Exchange Server 2003
I have a Front End Exchange server in our DMZ and a Back End Exchange server. Both are Exchange Server 2003, SP2. Front End is our gateway and OWA server.
I set up a second Exchange server in our DMZ that will be running a web based email/security software. We are having a problem opening the web page on this server and we may need to enable the option "This is a front-end server" on this new Exchange server.
My question is, will enabling this option affect mail flow to my servers or affect OWA in anyway?
I set up a second Exchange server in our DMZ that will be running a web based email/security software. We are having a problem opening the web page on this server and we may need to enable the option "This is a front-end server" on this new Exchange server.
My question is, will enabling this option affect mail flow to my servers or affect OWA in anyway?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also, download this. It will be very handy for your future configurations:
http://technet.microsoft.com/en-us/library/aa996980.aspx
http://technet.microsoft.com/en-us/library/aa996980.aspx
"The Front End is in the DMZ so external users can connect via OWA and so the Front End will filter spam and relay the messages to my backend server which is on the private network."
What difference does it make having the frontend server in the DMZ? None whatsoever. It does nothing to enhance the security of the network, it only reduces it due to the number of holes that have to put in the firewall.
Simon.
What difference does it make having the frontend server in the DMZ? None whatsoever. It does nothing to enhance the security of the network, it only reduces it due to the number of holes that have to put in the firewall.
Simon.
To each their own.
Me personally, the way I have my setup is almost flawless. All holes are patches. Intrusion detection and prevention is in place. Users can access their email from home. Spam is filtered on my FrontEnd, etc.
It's actually a smart setup, but like i said, to each their own.
Me personally, the way I have my setup is almost flawless. All holes are patches. Intrusion detection and prevention is in place. Users can access their email from home. Spam is filtered on my FrontEnd, etc.
It's actually a smart setup, but like i said, to each their own.
it depends if you are using ISA then you only need one port open and even if you havent you can encapsulate in ipsec
or you can go on your firewall and do a One to One Nat and not open anything.
domain members have no business in a dmz. "to each their own", ok, but people here are just trying to help you out. you can accomplish everything you need with an FE by keeping it internal, and opening two ports on your FW, 25 and 443. If security is a concern, you are making your network less secure by putting it in a dmz, and then opening so many ports through the internal FW segment to your internal LAN. the 'best' way (i.e., most secure) to do this is to use a reverse proxy in the dmz (isa) and publish your owa there. the 2nd 'best' way is to keep the FE internal as stated, or the 'worst' way (to each their own), is to do as you're doing.
starting with Exchange 2007, FE (CAS server role) is no longer supported in a DMZ.
kris.
starting with Exchange 2007, FE (CAS server role) is no longer supported in a DMZ.
kris.
in anwser to your question you can do what you want to do it wont effect it you could even use them to load balance
once again..to each their own.
i had my setup in place for 3 years. and its been perfect.
but of course you have those who will argue against it, but its a endless argument since everyone has a different viewpoint.
I could sit here and say PCs are better than Macs, then you'll have 100 people saying Macs are better, and another 100 saying PCs are better.
For the authors sake, I hope any of this information was useful to you, ignore the "sarcastic" remarks and attempts to degrade one's decision.
shep
i had my setup in place for 3 years. and its been perfect.
but of course you have those who will argue against it, but its a endless argument since everyone has a different viewpoint.
I could sit here and say PCs are better than Macs, then you'll have 100 people saying Macs are better, and another 100 saying PCs are better.
For the authors sake, I hope any of this information was useful to you, ignore the "sarcastic" remarks and attempts to degrade one's decision.
shep
But for argument sake, heres some articles from MICROSOFT, showing a Front End Exchange Server in a DMZ zone.
Once again, to each their own.
http://technet.microsoft.com/en-us/library/aa996948.aspx
http://www.isaserver.org/articles/2004dmzfebe.html
Once again, to each their own.
http://technet.microsoft.com/en-us/library/aa996948.aspx
http://www.isaserver.org/articles/2004dmzfebe.html
This is my take on it.
http://www.sembee.co.uk/archive/2006/02/23/7.aspx
The fact that Microsoft have written articles on how to do it, doesn't make it a good idea. It is a request I get frequently when I am working with my financial services client, usually silenced by the request for port 135 to be opened.
Simon.
http://www.sembee.co.uk/archive/2006/02/23/7.aspx
The fact that Microsoft have written articles on how to do it, doesn't make it a good idea. It is a request I get frequently when I am working with my financial services client, usually silenced by the request for port 135 to be opened.
Simon.
ASKER
Hi. Remember me? I'm the author of the original question which had nothing to do with the DMZ. But I did enjoy reading this string of emails.
Now that the responses have stopped, I will go ahead and accept a solution. But, because or these responses, I will be following up with another question regarding using the reverse proxy in the DMZ. We are in the planning stages of upgrading our Exchange hardware and will now consider a new design based on what I've read here. Thanks again for all your responses.
M.
Now that the responses have stopped, I will go ahead and accept a solution. But, because or these responses, I will be following up with another question regarding using the reverse proxy in the DMZ. We are in the planning stages of upgrading our Exchange hardware and will now consider a new design based on what I've read here. Thanks again for all your responses.
M.
The Front End is in the DMZ so external users can connect via OWA and so the Front End will filter spam and relay the messages to my backend server which is on the private network.
Configuring your server to become a Front End server is a good idea if you are hosting your email. It will relay messages back to your back end server.
I also created a tutorial for if you ever wish to host your own Mail.
http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=239582&messageID=2330632