cgsit212
asked on
Front End / Back End Exchange Question
We are a bit confused after reading many articles. documents, tutorials, looks like we are missing an important piece in our setup. We created a DMZ in our sonicwall firewall we assigned the front end server in the dmz. The back end is available to the dmz because for testing we opened all the ports from the DMZ to Lan
We currently have configured:
Front End Exchange Virtual Dir to re-direct to http://mail1 (Back End) which works great. So my co workers can go to https://mail2, asked for credentials, then ask to log in to back end server http://mail1 and then to Outlook Web Access.
We want to close outside access to the back end server so people will enter through the DMZ Front End Server then find it's way to the back end.
After reading many articles especially the Microsoft Configuring Front End Exchange 2003, it really doesn't show a step that I have to do for the two servers to talk to each other. It's like it has all the tools to do it. We also found out WebDav was disabled so I enabled it on both front end and back end but the problem continues.
This is what I wrote on another site msexchange looking for the same help.
When we code the Virtual Directory for the /Exchange default web side to \\.\BackOfficeStorage . The front end (Mail2) ask for credentials and the gives us HTTP Error 404 - File or directory not found.
We also tried to code the Virtual Directory for the /Exchange to redirect to the backend URL (Mail) by using the fqdn mail.companyname.com/excha
So our problem appears to be related to how the front end and the back end are communicating. How should the Local Path for exchange Virtual Directory be coded in a front and backend configuration? Are there other dependencies?
We currently have configured:
Front End Exchange Virtual Dir to re-direct to http://mail1 (Back End) which works great. So my co workers can go to https://mail2, asked for credentials, then ask to log in to back end server http://mail1 and then to Outlook Web Access.
We want to close outside access to the back end server so people will enter through the DMZ Front End Server then find it's way to the back end.
After reading many articles especially the Microsoft Configuring Front End Exchange 2003, it really doesn't show a step that I have to do for the two servers to talk to each other. It's like it has all the tools to do it. We also found out WebDav was disabled so I enabled it on both front end and back end but the problem continues.
This is what I wrote on another site msexchange looking for the same help.
When we code the Virtual Directory for the /Exchange default web side to \\.\BackOfficeStorage . The front end (Mail2) ask for credentials and the gives us HTTP Error 404 - File or directory not found.
We also tried to code the Virtual Directory for the /Exchange to redirect to the backend URL (Mail) by using the fqdn mail.companyname.com/excha
So our problem appears to be related to how the front end and the back end are communicating. How should the Local Path for exchange Virtual Directory be coded in a front and backend configuration? Are there other dependencies?
Brian B
To be quite honest, most Exchange system designers say you don't need an Exchane server front end as long as you have some other anti-spam protection. Most sonicwalls can do the anti-spam work and remove the complexity of having to dela with another server in your DMZ.
ASKER
Understood. We are just trying to follow some PCI Compliance regulations and one said that we should have a front end server while taking outside access to the back end for security. We want to finish this project, any help would be great.
ASKER
I am also sorry I should have put this in the Exchange zone.
This was a previous expert exchange thread which didn't get a solution and hope It doesn't happen to us.
https://www.experts-exchange.com/questions/21028185/Front-end-and-Back-end-E2k3-Servers-Are-Not-Talking.html
He basically shows that the back end/ front end serer can't talk to each other. Firewall is extremely open for testing, Active Directory on the Front End does show the domain and everything under the domain. When you look for exchange servers it shows both the back end and front end. I don't know if it's something I am missing.
This was a previous expert exchange thread which didn't get a solution and hope It doesn't happen to us.
https://www.experts-exchange.com/questions/21028185/Front-end-and-Back-end-E2k3-Servers-Are-Not-Talking.html
He basically shows that the back end/ front end serer can't talk to each other. Firewall is extremely open for testing, Active Directory on the Front End does show the domain and everything under the domain. When you look for exchange servers it shows both the back end and front end. I don't know if it's something I am missing.
I will be a bit hard sorry but Exchange was NEVER meant to be in a DMZ, the place of an exchange server is INSIDE your network and not in a DMZ
ASKER
I read a lot of response that follow your argument. Believe me I would love to go back to the old way and remove this server. Thank god I am using virtual machines so it's not much of a hassle. I am just trying to figure out why the front end is not connecting to the back end when I change the configuration on the exchange virtual directory. Is there something I am missing, a tool, a configuration, anything?
ASKER
If you have a valuable suggestion/articles/docume
An exchange server in a DMZ is more of a threat than security,
for it to work you will need to open your firewall like swiss cheese leaving it totally useless.
Can you please tell me what security concern are you trying to overcome by putting exchange in a DMZ and I will try to help you with it ?
for it to work you will need to open your firewall like swiss cheese leaving it totally useless.
Can you please tell me what security concern are you trying to overcome by putting exchange in a DMZ and I will try to help you with it ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's a requirement that PCI Compliance is asking for us to do. This is why we have been hard in trying to accomplish this project. It states it's a more secure way for our mailboxes not to be hacked. We even follow Microsoft way and did everything they state on how to create a front end and maintain but it just doesn't work. My partner and I totally agree with you 100% but PCI is just pushing us to get it done. We was thinking maybe a proxy server or use apache as a proxy server.
ASKER
"All you need to do is put a reverse proxy in your DMZ (like ISA or TMG) in that way all owa/activesync connections will be terminated ON the proxy server and no connection will be made to the internal network from outside directly, additionally you will need ONLY port 443 open between your DMZ and your LAN and that's MUCH more secure than what you need to open to make exchange in a DMZ work "
This is a great response we have been thinking about this I am going to use it as an solution but to me it's not really an answer for my actions. What am I suppose to do? Do i keep my front end server? What do I do with it, why isn't it talking to the back end? If you can just clarify this for us a bit, maybe a document to read or something so we can better understand. Sorry.
This is a great response we have been thinking about this I am going to use it as an solution but to me it's not really an answer for my actions. What am I suppose to do? Do i keep my front end server? What do I do with it, why isn't it talking to the back end? If you can just clarify this for us a bit, maybe a document to read or something so we can better understand. Sorry.
> We was thinking maybe a proxy server or use apache as a proxy server.<
is the way to go.
Talking about PCI, i have this setup running at many banks and non had an issue to get through PCI so I'd say push for it, even get MS involvement it is the correct way to do things
is the way to go.
Talking about PCI, i have this setup running at many banks and non had an issue to get through PCI so I'd say push for it, even get MS involvement it is the correct way to do things
ASKER
Great answer we feel this will solve our exchange front end / back end dilemma.
ASKER
You have provided me with the answer. Do you have any documents or just a bit more information on how I should start. What should I do with my front end server. Anything to get me started.
>> Do i keep my front end server? <<
If you have only one exchange server Back end then the front end is a total loss of money, if you have more than one backend server put your front end inside your network and all should work for you
If you have only one exchange server Back end then the front end is a total loss of money, if you have more than one backend server put your front end inside your network and all should work for you
ASKER
We have no problem removed the front end server and just erasing that machine. We want to know about the reverse proxy. Any documentation on that? Do I have to install linux virtual machine? I am sorry just a bit more information.
This will get you started with apache and exchange 2003 publishing
http://3cx.org/item/46
http://blog.scottlowe.org/2005/12/03/protecting-owa-with-apache/
if i can help in anything else let me know
http://3cx.org/item/46
http://blog.scottlowe.org/2005/12/03/protecting-owa-with-apache/
if i can help in anything else let me know
and this is for isa
http://www.petri.co.il/publishing_owa_with_isa2004.htm
http://www.petri.co.il/publishing_owa_with_isa2004.htm
ASKER
Thank you so much. Been a huge help!!
ASKER
Hope you see this response but am I installing ISA on the back end server?
ASKER
Sorry just missed that sentence in the isa article.
So I take it all is fine ?
ASKER
Yup I am reading through all the documenations and starting to setup Ubuntu with apache2
ASKER
I was hoping that you are still following this thread as I have just one problem/question.
So I read your articles they are great and big help. I kinda hit a wall where the articles doesn't explain, I go to the ip address of the proxy server lets say 192.168.0.0/exchange it suppose to redirect to the internal1.domain.com/excha
On Internet Explorer I get HTTP 400 (This error (HTTP 400 Bad Request) means that Internet Explorer was able to connect to the web server, but the webpage could not be found because of a problem with the address.)
If you have encountered this and is a easy fix please let us know. I will continue to investigate.
So I read your articles they are great and big help. I kinda hit a wall where the articles doesn't explain, I go to the ip address of the proxy server lets say 192.168.0.0/exchange it suppose to redirect to the internal1.domain.com/excha
On Internet Explorer I get HTTP 400 (This error (HTTP 400 Bad Request) means that Internet Explorer was able to connect to the web server, but the webpage could not be found because of a problem with the address.)
If you have encountered this and is a easy fix please let us know. I will continue to investigate.