Front/Backend server config

Just trying to understand a bit more about the average Windows Exchange Frontend and Backend server config.

Is the Frontend server a member of the same domain as the Backend?
How does the mail flow from the Backend server to Internet mailboxes?
Does the Frontend have two NICs> One public (Internet facing) and one private for the domain?

Just looking for a simple explanation.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Yes Frontend should be in the same forest/domain as the backend.

You have to configure the Frontend as Bridgehead server by hosting the outbound internet SMTP connector on the Frontend. Once the frontend has SMTP Connector to Internet with Enterprise wide scope all other server can see the connector and will send email to the frontend which the frontend will send to internet.

Two NICs for Frontend is not a must. It all depends on how you want to secure it. If there is no other firewall between Frontend and Internet then what you suggesting will help but in the absence of firewall the sever can be under attack from Internet.
I strongly disagree with shajidali,

##Is the Frontend server a member of the same domain as the Backend?##
Your front-end should not be a member joined server, since it is what it says... A front-end server. Most companies have their front-end mail server (if they have one), usually in the DMZ zone (demilitarized zone).
The function of a front-end server can be due to various reasons though primarely to sort out spam e-mail, trojans, viruses, have blacklist rules, whitelist rules etc. Consider it as a filter among other things.
This is why it should not be a member of your domain, if your front-end server is located within the domain and gets infected it will / can infect your organization.

You can install a spam-server, various email servers with SMTP functionality, such as Postfix (which is a linux variant and free software which alot of companies use as a front-end server)
So Mail flow should be: Internet -> Front-end (in DMZ zone for example) -> backend
Or if you have firewals that are in DMZ zone or in the domain, these would go in between front-end and back-end

##How does the mail flow from the Backend server to Internet mailboxes?##
You can have your backend mail servers use the MX DNS records to send out mail directly to the web, or you could use a smarthost if you have further mail flow control (this is beneficial if you want more rules, monitoring of mail flowing out from your company)
An example for external to internal mail flow and vice versa could be for example the following:

Incoming mail: Internet -> Front-end (in DMZ zone for example) -> Firewall (in your domain) -> backend mail server (exchange)
Outgoing mail: Backend mail server -> frontend mail server -> internet
(or if you want the outgoing mail go directly to the internet go can just use the DNS MX records like I said: Backend -> internet

##Does the Frontend have two NICs> One public (Internet facing) and one private for the domain?##
Not requiered but recommended.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
With all due respect you can't install exchange server 2003 without it being in the domain. Frontend and backend comes only after that.
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Where in this post have anyone mentioned exchange server 2003 ?
Where have I stated that I would install an exchange server that is not a member of the domain ?
(Though this is absolutely functional having an exchange server that holds solely the edge server role to act as the front-end server, most likely located in the DMZ zone)

You can read more on this on microsofts knowledge base, one refencere:

shajidali, you can have your opinions which you are entitled to likewise we all technicians / specialists have ours. But do not comment on things that have not been said nor stated as facts.
I am simply giving the user, which in this case is lazik, two things:
1. My opinion based on my experience, and not technical facts, on what he is asking
2. Options and possibilities which are stated on facts from Microsoft

Jeff BeckhamEngineerCommented:
JC - Front-end/back-end server terminology typcially implies Exchange Server 2003 front-end and back-end server "roles".

If we are talking 2003, then quite a while ago Microsoft used to recommend/support placing the 2003 FE in a DMZ and the 2003 BE on the internal network but this is generally no longer a recommended configuration.

If we are talking 2007/2010 then having Hub Transports (HT) roles and Client Access Server (CAS) roles seperated from their Mailbox (MBX) role counterparts seperated by a firewall isn't supported.  The only thing thats supported in a DMZ is the Edge Transport (ET) role.

If by front-end you simply mean a hygiene (anti-spam, anti-virus) server/appliance or some other type of SMTP proxy then yes, they're typically placed in a DMZ.

You are rights, I was simply stating general information regarding exchange servers, undependent of which versions they were of.

lazikAuthor Commented:
Thank you all, I read and understand your points very well.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.