?
Solved

How to add an Exchange 2007 Frontend to Exchange 2003 environment

Posted on 2010-01-11
20
Medium Priority
?
287 Views
Last Modified: 2012-05-08
Good afternoon.
For security purposes, I am interested in adding an Exchange 2007 Frontend server to an Exchange 2003 environment. I do have some understanding that there is a big schema change when adding 2007 but I want to plan for future 2007 deployment by adding this Frontend. Does anybody have some recommendations and/or experience with this proposal and a best method for deployment or other suggestions ? The idea is to put Exchange 2007 in the DMZ. We are running active directory in the DMZ and internal domain Thanks in advance.

Ed Nomran
MCSA, CCENT
0
Comment
Question by:enorman1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 6
  • 4
20 Comments
 
LVL 74

Accepted Solution

by:
Glen Knight earned 750 total points
ID: 26287578
You don't need to put an Exchange Server in the DMZ (except for an Edge Transport server) and infact it's not supported.

All you need to do is install the Exchange 2007 CAS server and port forward 443 to the internal IP address of your Exchange 2007 server.
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26287642
Hi Ed,

Dezmaster is right no need to place front end OWA in DMZ am i reading the post right when you say AD is in the DMZ? :)
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26287662
You definately should not have AD in the DMZ!!

See here: http://blog.sembee.co.uk/archive/2006/02/23/7.aspx
It's written for 2003 but it's exactly the same for 2007!

If you want to put a server in the DMZ buy ISA server.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:enorman1
ID: 26287681
Thanks Raheem05 and demazter.

I am currently running an Exchange 2003 server on the inside domain and wanted to add an Exchange 2007 Frontend for security. Somehow I was thinking this proposed Frontend would reside in the DMZ. This is why I'm asking questions and looking for more insight from someone that may have experience mixing and Exchagne 2003 server with an Exchange 2007 Frontend and the best practice.
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26287702
Dezmaster just took the words out of my mouth please be careful placing AD in the DMZ huge security flaw...Agree with Dezmaster ISA is the way to go if you really want to place a front end server in the DMZ
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26287704
Exchange 2007 is quite happy with using the CAS role to proxy for 2003.
You don't need to put it in the DMZ though, all you need to do is forward port 443.
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26287717
Hi Enorman1,

Dezmaster has pointed you to an excellent article Sembee has wrote please take a read it will all make sense :)
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26287756
Best practise would be as Dezmaster has already posted above within your private network and not the DMZ
0
 

Author Comment

by:enorman1
ID: 26287806
So, if I'm reading and understanding correctly, an Exchange 2007 Frontend running CAS role should sit on the inside domain with port 443 open for a direct conection to the Exchange 2003 server. Further, there is strong discouragement from having Active Directory running in the DMZ (completely detached from the internal net) using a workgroup as the preferred alternative and use an ISA server in the DMZ. If I have this correct, will there be any impact considering the schema change with Exchagne 2007 that I need to be aware of and/or prepare ?
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26287902
No as dezmaster said you place the exchange 2007 CAS server inside the private network and change your firewall rule for https port 443 traffic to be redirected say natted 1-1 from public ip of common name https://company.com = IP 169.0.0.0 you then nat this to the private IP of the CAS server and not the 2003 server as this is your backend server


Having AD in your DMZ you are much more open to attacks and not mentioning the amount of holes you would have to punch in your firewall to get it talking correctly to the domain thus making eventually making your firewall useless.

Is your DC the only DC in the forest which is sitting in your DMZ??

Tigermatt has also written an article based on this very similar to Sembee's post which dezmaster posted:

http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Why-you-shouldn't-put-an-Exchange-Server-in-the-DMZ.html

You are in a spot of bother if this is your only DC and is sitting on the edge of your network i.e. DMZ please clarify if this is the only domain controller in the forest?
0
 

Author Comment

by:enorman1
ID: 26287968
In the DMZ, I have a server running DC with fsmo roles and a VM running a secondary DC. (192 net)

The inside net is running DC's all servers. (172 net)

The 2 domains are seperate from one another: 2 different forests.
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26287990
Thanks for clearing this up why 2 forests what else does the other forest do is the backend exchange server joined to the domain sitting in the DMZ? We need to iron this out before proceeding with Exchange if thats OK with you....
0
 

Author Comment

by:enorman1
ID: 26288074
The backend Exchange box is not joined to the DMZ.

The DMZ forest is for web app sharing, FTP services, etc. If we take some sort of security hit on that forest, there will not be any ripple effect on the internal net.

Thanks Raheem05
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26288116
OK so place the exchange 2007 CAS server inside the same network (your private network) then create a rule on your firewall for https port 443:

So say your users go to https://company.com you need to create a NAT rule with the IP address of company.com and nat this to the exchange 2007 CAS server inside your network (e.g. 172.16.1.1) so when someone hits https://company.com it goes to your firewall and it passes the traffic on to your exchange 2007 cas server

I still dont agree with the second AD forest I would advise sitting down and going through this at a later stage as you can do the above without a DC in your DMZ just create some rules in your firewall to the relevant servers etc
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26288123
correction *inside the same network as your exchange 2003 server*

Does all of this make sense? :)
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26288153
Absolutely agree with all this, there is no need at all for this second domain.
0
 

Author Comment

by:enorman1
ID: 26288171
yes. makes perfect sense. I apprecaite the sharing of discouragement with using AD in the DMZ. However, consider that if someone breaks into the forest/domain in the DMZ, they'll be chasing they're tails with no where to go.
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26288186
But why give them the opportunity to get that far? When you can stop them at your firewall let the appliance do its job.. :)
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26288262
No where to go? Well if theres a trust in place from the dmz domain to the private domain which i am assuming there is they already have a door all I am saying its something I am hot on and do not recommend but thats another topic any questions regarding the CAS give us a shout the instructions I provided are the same as what Dezmaster advised above have a good evening I am calling it a night! :)
0
 

Author Closing Comment

by:enorman1
ID: 31675752
Raheem05 went a little further with explanation that I found very useful and helpful. This is not anyway intended to discredit demazter.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question