Announcement

Collapse
No announcement yet.

Exchange frontend/Backend and dedicated Anti-Spam

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange frontend/Backend and dedicated Anti-Spam

    Hi All,

    just putting out some feelers to get some info on the best way to re-structure our Exchange Architecture.

    We currently have 3 mail servers in out Organisation. these provide OWA/OMA to users as well as normal MAPI connections. They sit on the internal network. We have a Fortimail Anti-Spam device that sits in our DMZ that is the INCOMING SMTP server for our domain. All OUTBOUND mail is sent straight from the exchange boxes to the internet.

    We want to re-architect our exchange organisation. One thing we want to acheive is a more secure Front-End Back-end system.

    Does anyone have any best practices on how to acheive this? Also, i am a little unclear on how the Anti-Spam device will fit into the design.

    I would want all incoming SMTP messages to go through the AS box, but all OWA and OMA etc. requests to go through the Front-end servers, which would also sit in the DMZ.

    Any info on this, things to watch out for or recommendations would be excellent,

    Cheers

    JOnathan
    MCSA/MCSE 2000
    MCSA/MCSE 2003
    CCNA

    I love pies.

  • #2
    Re: Exchange frontend/Backend and dedicated Anti-Spam

    Why do you think frontend/backend is more secure?
    Why do you think putting an Exchange server in the DMZ is more secure?

    I have been waiting for someone to answer the second question for a very long time, even so called "security consultants" who tell their clients to do that, then when challenged go quite as to have it improves the security. Just because something is in the DMZ doesn't mean it is more secure.

    If you are happy to have port 135, along with a large list of other ports open to a less secure network then you really need to consider your attitude to security. I work with financial companies who often ask for the same thing. I simply ask for port 135 to be open and they drop the idea very quickly.

    I have a popular blog post that goes in to the reasons why putting an Exchange server in a DMZ is a bad idea here: http://www.sembee.co.uk/archive/2006/02/23/7.aspx

    Frontend servers should be deployed for load reasons, and to provide a single point of entry for Exchange based traffic - usually OWA, RPC over HTTPS, POP3 etc. You can also use them for SMTP email as well, and it is very common to have all outbound email go through the frontend server.

    I would stick with what you have for security of SMTP email.

    If you want to put something in between the internet and the production network then put an ISA server in the DMZ. That is what it was designed for. That server does not have to be a member of the domain, it can be part of a workgroup.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Exchange frontend/Backend and dedicated Anti-Spam

      Hi simon,

      Thanks for getting back to me. I have been thinking about this overnight and here is what i have come up with.

      I would like to put a frontend exchange server in our DMZ network that would then act as a single point of entry for OWA/OMA access to mailboxes. I have looked intp using ISA, but need to justify costs and training etc. to the powers that be.

      The AS device would still relay all incoming SMTP requests to the internal servers from the DMZ (Where it lives) so this would not change, i have also looked into using the AS device as a 'Smarthost' and relaying all outbound SMTP connections through it. - This seems like an advantage to me as it will provide a single way in and out for SMTP traffic to our network.

      I agree with your points about opening up a number of ports to the internal network, i want to try and limit this as much as possible.

      I admit that i am coming at this with little experience so am completely open to new ideas. I have setup Exchange Frontends in a DMZ before and as you rightly say, it is because of countless recommendations that i do so.

      The more i look at it, the more i agree that ISA is the way forward. I need to look into Fault tolerance for ISA, as this is a key deliverable of the project. We must be able to sustain the system if the ISA server goes face down in the dirt.

      Many thanks for your advice!

      Jonathan
      MCSA/MCSE 2000
      MCSA/MCSE 2003
      CCNA

      I love pies.

      Comment


      • #4
        Re: Exchange frontend/Backend and dedicated Anti-Spam

        As for justification, it comes down to the attitude to security.
        If you put an Exchange server in the DMZ then you may as well not bother with the DMZ. The number of ports that you have to open is huge. The frontend server needs to communicate with all of the backend servers directly.
        You also have to change the configuration of all of the servers to use static ports.
        However if you put an ISA server in to the DMZ then the number of ports is limited to a handful (two or three at most).

        Did you read my blog post? That puts most people off the idea.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Exchange frontend/Backend and dedicated Anti-Spam

          I did, thanks for all the info.

          I am in the process of coordinating some pre-project get togethers so that i can identify EXACTLY what the business wants to achieve with this, then i will start putting a proposal together. I think i will definately push ISA if the front-end scenario if thats what is wanted.

          Thats one of the main hurdles, the other is the decision on whether to virtualise the backend or not....
          MCSA/MCSE 2000
          MCSA/MCSE 2003
          CCNA

          I love pies.

          Comment


          • #6
            Re: Exchange frontend/Backend and dedicated Anti-Spam

            Hello again.

            On the subject of Exchange redesigns etc....

            We need to be able to use RPC/HTTP to allow our users access using OUTLOOK 2003.
            Can anyone tell me whether we shoud host this (RPC Proxy) on a Front-end server or whether we can host all of these services on a single backend?

            there are roughly 1000 mailboxes on the server, we need to offer OMA, OWA and RPC/HTTP access, IMAP and SMTP.

            I am putting together some basic designs and would like some good reasons for and against using dedicated front-ends...

            Any info much appreciated

            Cheers

            JOnathan
            MCSA/MCSE 2000
            MCSA/MCSE 2003
            CCNA

            I love pies.

            Comment


            • #7
              Re: Exchange frontend/Backend and dedicated Anti-Spam

              On that number of users I would be looking at frontend servers. I get to about 250 - 300 before I start talking about frontend servers.

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment


              • #8
                Re: Exchange frontend/Backend and dedicated Anti-Spam

                Hi again,

                Thanks for all the advice, its really helpful. Can you tell me if there is an MS article anywhere that advises using Frontend/Backend design when you reach a certain mailbox number?

                I need to find some eveidence to put into a business case for the boss to justify the design.

                At present, they are keen to minimisethe number of servers we have, so they are looking at having a single Exchange box, 1000+ mailboxes, 300+ public folders, OWA, OMA and RPC/HTTP. It sounds like it will be a very busy box so i need to justify removing some of the load from it...
                MCSA/MCSE 2000
                MCSA/MCSE 2003
                CCNA

                I love pies.

                Comment


                • #9
                  Re: Exchange frontend/Backend and dedicated Anti-Spam

                  Microsoft don't give numbers on anything.
                  You will not find anything about mailbox sizes, server sizing or anything like that, because every site is different.

                  That is where a good quality Exchange consultant comes in, someone who knows how to size a server.

                  What I would do for 2000 staff who are all office based is very different to what I would do for 1500 with 50% off site at any one time.
                  There are no hard and fast rules.

                  A single machine doing all that work will perform very badly. It will be thrashing its hard disks. Remember you cannot throw lots of power at Exchange 2003 - a single processor with 2gb of RAM is good enough for most installations, I rarely do anything else because Exchange will not use it.

                  While they want to minimise the numbers of servers, look at this from a cost point of view.

                  What does it cost the company per hour when no one can email?
                  What about if that number was halved - so half the company can email?

                  You load everything on to one box you have a very large single point of failure. In the event of a disaster you have a lot of data to recover.
                  You may also have problems with backups and the time window.

                  There are just so many issues to be taken in to account, not just technical ones.

                  Simon.
                  --
                  Simon Butler
                  Exchange MVP

                  Blog: http://blog.sembee.co.uk/
                  More Exchange Content: http://exchange.sembee.info/
                  Exchange Resources List: http://exbpa.com/
                  In the UK? Hire me: http://www.sembee.co.uk/

                  Sembee is a registered trademark, used here with permission.

                  Comment


                  • #10
                    Re: Exchange frontend/Backend and dedicated Anti-Spam

                    Hi again,

                    I agree with your points.

                    Here comes the next biggie then...... Exchange will be running on VMWARE ESX server on a mirrored SAN.

                    That takes care of the fault tolerance/Failover scenario as there will always be a mirror image of the server on our other SAN should anything go wrong.

                    As for the performance hit, i too am worried. It seems like an awful lot for one box to be dealing with. I am just writing up the report on it now so will mention this...

                    Many thanks
                    MCSA/MCSE 2000
                    MCSA/MCSE 2003
                    CCNA

                    I love pies.

                    Comment


                    • #11
                      Re: Exchange frontend/Backend and dedicated Anti-Spam

                      The use of VMWARE you well in to the realm of being unsupported. I don't care what people say, I am still not doing Exchange on virtual machines for anything other than lab work.

                      1000 mailboxes on a virtual machine, the performance will be awful. I wouldn't even dare to suggest that to a client, and if a client insisted I would walk away. Let some other consultant do it and take the hit when it doesn't perform as expected.

                      Simon.
                      --
                      Simon Butler
                      Exchange MVP

                      Blog: http://blog.sembee.co.uk/
                      More Exchange Content: http://exchange.sembee.info/
                      Exchange Resources List: http://exbpa.com/
                      In the UK? Hire me: http://www.sembee.co.uk/

                      Sembee is a registered trademark, used here with permission.

                      Comment

                      Working...
                      X