• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 495
  • Last Modified:

Front End / Back End Exchange Question

We are a bit confused after reading many articles. documents, tutorials, looks like we are missing an important piece in our setup. We created a DMZ in our sonicwall firewall we assigned the front end server in the dmz. The back end is available to the dmz because for testing we opened all the ports from the DMZ to Lan

We currently have configured:

Front End Exchange Virtual Dir to re-direct to http://mail1 (Back End) which works great. So my co workers can go to https://mail2, asked for credentials, then ask to log in to back end server http://mail1 and then to Outlook Web Access.

We want to close outside access to the back end server so people will enter through the DMZ Front End Server then find it's way to the back end.

After reading many articles especially the Microsoft Configuring Front End Exchange 2003, it really doesn't show a step that I have to do for the two servers to talk to each other. It's like it has all the tools to do it. We also found out WebDav was disabled so I enabled it on both front end and back end but the problem continues.

This is what I wrote on another site msexchange looking for the same help.

When we code the Virtual Directory for the /Exchange default web side to \\.\BackOfficeStorage  .  The front end (Mail2) ask  for credentials and the gives us HTTP Error 404 - File or directory not found.

We also tried to code the Virtual Directory for the /Exchange to redirect to the backend URL (Mail) by using the fqdn mail.companyname.com/exchange.   What happens next is Mail2 ask for credentials and then redirects to mail.  But, with the firewall closed to the backend (mail.companyname.com/exchange) it fails.  When the firewall is open to the backend and nat is set to redirect mail.companyname.com/exchange to the backend it works.  But, service is being provided directly from the back end.

So our problem appears to be related to how the front end and the back end are communicating.   How should the Local Path for exchange Virtual Directory be coded in a front and backend configuration?  Are there other dependencies?
0
cgsit212
Asked:
cgsit212
  • 14
  • 8
1 Solution
 
Brian BIndependant Technology ProfessionalCommented:
To be quite honest, most Exchange system designers say you don't need an Exchane server front end as long as you have some other anti-spam protection. Most sonicwalls can do the anti-spam work and remove the complexity of having to dela with another server in your DMZ.
0
 
cgsit212Author Commented:
Understood. We are just trying to follow some PCI Compliance regulations and one said that we should have a front end server while taking outside access to the back end for security. We want to finish this project, any help would be great.
0
 
cgsit212Author Commented:
I am also sorry I should have put this in the Exchange zone.

This was a previous expert exchange thread which didn't get a solution and hope It doesn't happen to us.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_21028185.html

He basically shows that the back end/ front end serer can't talk to each other. Firewall is extremely open for testing, Active Directory on the Front End does show the domain and everything under the domain. When you look for exchange servers it shows both the back end and front end. I don't know if it's something I am missing.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
AkhaterCommented:
I will be a bit hard sorry but Exchange was NEVER meant to be in a DMZ, the place of an exchange server is INSIDE your network and not in a DMZ
0
 
cgsit212Author Commented:
I read a lot of response that follow your argument. Believe me I  would love to go back to the old way and remove this server. Thank god I am using virtual machines so it's not much of a hassle. I am just trying to figure out why the front end is not connecting to the back end when I change the configuration on the exchange virtual directory. Is there something I am missing, a tool, a configuration, anything?
0
 
cgsit212Author Commented:
If you have a valuable suggestion/articles/documents that would benefit us to pass PCI compliance by doing something with our back end server that enables our users to connect to OWA from outside and still be secure and following the regulations PCI wants us to follow.
0
 
AkhaterCommented:
An exchange server in a DMZ is more of a threat than security,

for it to work you will need to open your firewall like swiss cheese leaving it totally useless.

Can you please tell me what security concern are you trying to overcome by putting exchange in a DMZ and I will try to help you with it ?
0
 
AkhaterCommented:
>If you have a valuable suggestion/articles/documents that would benefit us to pass PCI compliance by doing something with our back end server that enables our users to connect to OWA from outside and still be secure and following the regulations PCI wants us to follow.<

You posted this while I was writing my last post so here is the answer

All you need to do is put a reverse proxy in your DMZ (like ISA or TMG) in that way all owa/activesync connections will be terminated ON the proxy server and no connection will be made to the internal network from outside directly, additionally you will need ONLY port 443 open between your DMZ and your LAN and that's MUCH more secure than what you need to open to make exchange in a DMZ work
0
 
cgsit212Author Commented:
It's a requirement that PCI Compliance is asking for us to do. This is why we have been hard in trying to accomplish  this project. It states it's a more secure way for our mailboxes not to be hacked. We even follow Microsoft way and did everything they state on how to create a front end and maintain but it just doesn't work. My partner and I totally agree with you 100% but PCI is just pushing us to get it done. We was thinking maybe a proxy server or use apache as a proxy server.
0
 
cgsit212Author Commented:
"All you need to do is put a reverse proxy in your DMZ (like ISA or TMG) in that way all owa/activesync connections will be terminated ON the proxy server and no connection will be made to the internal network from outside directly, additionally you will need ONLY port 443 open between your DMZ and your LAN and that's MUCH more secure than what you need to open to make exchange in a DMZ work "

This is a great response we have been thinking about this I am going to use it as an solution but to me it's not really an answer for my actions. What am I suppose to do? Do i keep my front end server? What do I do with it, why isn't it talking to the back end? If you can just clarify this for us a bit, maybe a document to read or something so we can better understand. Sorry.
0
 
AkhaterCommented:
> We was thinking maybe a proxy server or use apache as a proxy server.<

is the way to go.

Talking about PCI, i have this setup running at many banks and non had an issue to get through PCI so I'd say push for it, even get MS involvement it is the correct way to do things
0
 
cgsit212Author Commented:
Great answer we feel this will solve our exchange front end / back end dilemma.
0
 
cgsit212Author Commented:
You have provided me with the answer. Do you have any documents or just a bit more information on how I should start. What should I do with my front end server. Anything to get me started.
0
 
AkhaterCommented:
>> Do i keep my front end server? <<

If you have only one exchange server Back end then the front end is a total loss of money, if you have more than one backend server put your front end inside your network and all should work for you
0
 
cgsit212Author Commented:
We have no problem removed the front end server and just erasing that machine. We want to know about the reverse proxy. Any documentation on that? Do I have to install linux virtual machine? I am sorry just a bit more information.
0
 
AkhaterCommented:
This will get you started with apache and exchange 2003 publishing

http://3cx.org/item/46
http://blog.scottlowe.org/2005/12/03/protecting-owa-with-apache/

if i can help in anything else let me know
0
 
AkhaterCommented:
0
 
cgsit212Author Commented:
Thank you so much. Been a huge help!!
0
 
cgsit212Author Commented:
Hope you see this response but am I installing ISA on the back end server?
0
 
cgsit212Author Commented:
Sorry just missed that sentence in the isa article.
0
 
AkhaterCommented:
So I take it all is fine ?
0
 
cgsit212Author Commented:
Yup I am reading through all the documenations and starting to setup Ubuntu with apache2
0
 
cgsit212Author Commented:
I was hoping that you are still following this thread as I have just one problem/question.

So I read your articles they are great and big help. I kinda hit a wall where the articles doesn't explain, I go to the ip address of the proxy server lets say 192.168.0.0/exchange it suppose to redirect to the internal1.domain.com/exchange right. But for some reason when I go to 192.168.0.0/exchange it prompts me for my credentials then in Firefox I get the OWA website look but the frames show Invalid Hostname.

On Internet Explorer I get HTTP 400 (This error (HTTP 400 Bad Request) means that Internet Explorer was able to connect to the web server, but the webpage could not be found because of a problem with the address.)

If you have encountered this and is a easy fix please let us know. I will continue to investigate.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 14
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now