• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 291
  • Last Modified:

How to add an Exchange 2007 Frontend to Exchange 2003 environment

Good afternoon.
For security purposes, I am interested in adding an Exchange 2007 Frontend server to an Exchange 2003 environment. I do have some understanding that there is a big schema change when adding 2007 but I want to plan for future 2007 deployment by adding this Frontend. Does anybody have some recommendations and/or experience with this proposal and a best method for deployment or other suggestions ? The idea is to put Exchange 2007 in the DMZ. We are running active directory in the DMZ and internal domain Thanks in advance.

Ed Nomran
MCSA, CCENT
0
enorman1
Asked:
enorman1
  • 10
  • 6
  • 4
1 Solution
 
Glen KnightCommented:
You don't need to put an Exchange Server in the DMZ (except for an Edge Transport server) and infact it's not supported.

All you need to do is install the Exchange 2007 CAS server and port forward 443 to the internal IP address of your Exchange 2007 server.
0
 
Raheem05Commented:
Hi Ed,

Dezmaster is right no need to place front end OWA in DMZ am i reading the post right when you say AD is in the DMZ? :)
0
 
Glen KnightCommented:
You definately should not have AD in the DMZ!!

See here: http://blog.sembee.co.uk/archive/2006/02/23/7.aspx
It's written for 2003 but it's exactly the same for 2007!

If you want to put a server in the DMZ buy ISA server.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
enorman1Author Commented:
Thanks Raheem05 and demazter.

I am currently running an Exchange 2003 server on the inside domain and wanted to add an Exchange 2007 Frontend for security. Somehow I was thinking this proposed Frontend would reside in the DMZ. This is why I'm asking questions and looking for more insight from someone that may have experience mixing and Exchagne 2003 server with an Exchange 2007 Frontend and the best practice.
0
 
Raheem05Commented:
Dezmaster just took the words out of my mouth please be careful placing AD in the DMZ huge security flaw...Agree with Dezmaster ISA is the way to go if you really want to place a front end server in the DMZ
0
 
Glen KnightCommented:
Exchange 2007 is quite happy with using the CAS role to proxy for 2003.
You don't need to put it in the DMZ though, all you need to do is forward port 443.
0
 
Raheem05Commented:
Hi Enorman1,

Dezmaster has pointed you to an excellent article Sembee has wrote please take a read it will all make sense :)
0
 
Raheem05Commented:
Best practise would be as Dezmaster has already posted above within your private network and not the DMZ
0
 
enorman1Author Commented:
So, if I'm reading and understanding correctly, an Exchange 2007 Frontend running CAS role should sit on the inside domain with port 443 open for a direct conection to the Exchange 2003 server. Further, there is strong discouragement from having Active Directory running in the DMZ (completely detached from the internal net) using a workgroup as the preferred alternative and use an ISA server in the DMZ. If I have this correct, will there be any impact considering the schema change with Exchagne 2007 that I need to be aware of and/or prepare ?
0
 
Raheem05Commented:
No as dezmaster said you place the exchange 2007 CAS server inside the private network and change your firewall rule for https port 443 traffic to be redirected say natted 1-1 from public ip of common name https://company.com = IP 169.0.0.0 you then nat this to the private IP of the CAS server and not the 2003 server as this is your backend server


Having AD in your DMZ you are much more open to attacks and not mentioning the amount of holes you would have to punch in your firewall to get it talking correctly to the domain thus making eventually making your firewall useless.

Is your DC the only DC in the forest which is sitting in your DMZ??

Tigermatt has also written an article based on this very similar to Sembee's post which dezmaster posted:

http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Why-you-shouldn't-put-an-Exchange-Server-in-the-DMZ.html

You are in a spot of bother if this is your only DC and is sitting on the edge of your network i.e. DMZ please clarify if this is the only domain controller in the forest?
0
 
enorman1Author Commented:
In the DMZ, I have a server running DC with fsmo roles and a VM running a secondary DC. (192 net)

The inside net is running DC's all servers. (172 net)

The 2 domains are seperate from one another: 2 different forests.
0
 
Raheem05Commented:
Thanks for clearing this up why 2 forests what else does the other forest do is the backend exchange server joined to the domain sitting in the DMZ? We need to iron this out before proceeding with Exchange if thats OK with you....
0
 
enorman1Author Commented:
The backend Exchange box is not joined to the DMZ.

The DMZ forest is for web app sharing, FTP services, etc. If we take some sort of security hit on that forest, there will not be any ripple effect on the internal net.

Thanks Raheem05
0
 
Raheem05Commented:
OK so place the exchange 2007 CAS server inside the same network (your private network) then create a rule on your firewall for https port 443:

So say your users go to https://company.com you need to create a NAT rule with the IP address of company.com and nat this to the exchange 2007 CAS server inside your network (e.g. 172.16.1.1) so when someone hits https://company.com it goes to your firewall and it passes the traffic on to your exchange 2007 cas server

I still dont agree with the second AD forest I would advise sitting down and going through this at a later stage as you can do the above without a DC in your DMZ just create some rules in your firewall to the relevant servers etc
0
 
Raheem05Commented:
correction *inside the same network as your exchange 2003 server*

Does all of this make sense? :)
0
 
Glen KnightCommented:
Absolutely agree with all this, there is no need at all for this second domain.
0
 
enorman1Author Commented:
yes. makes perfect sense. I apprecaite the sharing of discouragement with using AD in the DMZ. However, consider that if someone breaks into the forest/domain in the DMZ, they'll be chasing they're tails with no where to go.
0
 
Raheem05Commented:
But why give them the opportunity to get that far? When you can stop them at your firewall let the appliance do its job.. :)
0
 
Raheem05Commented:
No where to go? Well if theres a trust in place from the dmz domain to the private domain which i am assuming there is they already have a door all I am saying its something I am hot on and do not recommend but thats another topic any questions regarding the CAS give us a shout the instructions I provided are the same as what Dezmaster advised above have a good evening I am calling it a night! :)
0
 
enorman1Author Commented:
Raheem05 went a little further with explanation that I found very useful and helpful. This is not anyway intended to discredit demazter.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 10
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now