Solved

Enabling 'Front End Server' option on Exchange Server 2003

Posted on 2007-11-27
13
223 Views
Last Modified: 2010-03-06
I have a Front End Exchange server in our DMZ and a Back End Exchange server. Both are Exchange Server 2003, SP2. Front End is our gateway and OWA server.
I set up a second Exchange server in our DMZ that will be running a web based email/security software. We are having a problem opening the web page on this server and we may need to enable the option "This is a front-end server" on this new Exchange server.
My question is, will enabling this option affect mail flow to my servers or affect OWA in anyway?
0
Comment
Question by:mokn
  • 6
  • 3
  • 2
  • +2
13 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 100 total points
ID: 20359796
You can add and remove the option to make a server a frontend as much as you like. It has no effect on the other servers in the org. Do ensure that it is patched at the same level as the original servers. If the original servers went from SP1 to Sp2 then you need to do the same.

However - Exchange does not belong in the DMZ. Why have you put an Exchange server in the DMZ? How does that improve the security of your network? I would love to know because no one can answer that question - but I can give you plenty of reasons why it is a bad idea.

Simon.
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20359892
I have a Front End and Back End Exchange setup in my network.


The Front End is in the DMZ so external users can connect via OWA and so the Front End will filter spam and relay the messages to my backend server which is on the private network.


Configuring your server to become a Front End server is a good idea if you are hosting your email.  It will relay messages back to your back end server.  


I also created a tutorial for if you ever wish to host your own Mail.


http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=239582&messageID=2330632
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20359901
Also, download this.  It will be very handy for your future configurations:

http://technet.microsoft.com/en-us/library/aa996980.aspx
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 104

Expert Comment

by:Sembee
ID: 20359915
"The Front End is in the DMZ so external users can connect via OWA and so the Front End will filter spam and relay the messages to my backend server which is on the private network."

What difference does it make having the frontend server in the DMZ? None whatsoever. It does nothing to enhance the security of the network, it only reduces it due to the number of holes that have to put in the firewall.

Simon.
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20359970
To each their own.


Me personally, the way I have my setup is almost flawless.  All holes are patches.  Intrusion detection and prevention is in place.  Users can access their email from home.  Spam is filtered on my FrontEnd, etc.

It's actually a smart setup, but like i said, to each their own.
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20359997
it depends if you are using ISA then you only need one port open and even if you havent you can encapsulate in ipsec
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20360017
or you can go on your firewall and do a One to One Nat and not open anything.
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 20360060
domain members have no business in a dmz. "to each their own", ok, but people here are just trying to help you out. you can accomplish everything you need with an FE by keeping it internal, and opening two ports on your FW, 25 and 443. If security is a concern, you are making your network less secure by putting it in a dmz, and then opening so many ports through the internal FW segment to your internal LAN. the 'best' way (i.e., most secure) to do this is to use a reverse proxy in the dmz (isa) and publish your owa there. the 2nd 'best' way is to keep the FE internal as stated, or the 'worst' way (to each their own), is to do as you're doing.

starting with Exchange 2007, FE (CAS server role) is no longer supported in a DMZ.

kris.
0
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20360114
in anwser to your question you can do what you want to do it wont effect it you could even use them to load balance
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20360320
once again..to each their own.



i had my setup in place for 3 years.  and its been perfect.



but of course you have those who will argue against it, but its a endless argument since everyone has a different viewpoint.


I could sit here and say PCs are better than Macs, then you'll have 100 people saying Macs are better, and another 100 saying PCs are better.


For the authors sake, I hope any of this information was useful to you, ignore the "sarcastic" remarks and attempts to degrade one's decision.


shep
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20360349
But for argument sake, heres some articles from MICROSOFT, showing a Front End Exchange Server in a DMZ zone.  


Once again, to each their own.


http://technet.microsoft.com/en-us/library/aa996948.aspx
http://www.isaserver.org/articles/2004dmzfebe.html
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20360626
This is my take on it.
http://www.sembee.co.uk/archive/2006/02/23/7.aspx

The fact that Microsoft have written articles on how to do it, doesn't make it a good idea. It is a request I get frequently when I am working with my financial services client, usually silenced by the request for port 135 to be opened.

Simon.
0
 
LVL 1

Author Comment

by:mokn
ID: 20366774
Hi. Remember me? I'm the author of the original question which had nothing to do with the DMZ. But I did enjoy reading this string of emails.
Now that the responses have stopped, I will go ahead and accept a solution. But, because or these responses, I will be following up with another question regarding using the reverse proxy in the DMZ. We are in the planning stages of upgrading our Exchange hardware and will now consider a new design based on what I've read here. Thanks again for all your responses.

M.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video discusses moving either the default database or any database to a new volume.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question