Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Implmentation of OWA and RPC over HTTPS

  • Filter
  • Time
  • Show
Clear All
new posts

  • Implmentation of OWA and RPC over HTTPS

    Hey all,

    I have a question regarding of how to best implement the solution.

    We currently have 2 exchange 2003 nodes in a cluster. Both are not apart of HTTP-RPC topolgy. The domain is based on Windows 2003.

    The questions:

    1. Does turning the cluster to back-end have any effects on the cluster? Is there a way that it can cause damage to the cluster (also in case we want to get back to the old configuration).

    2. Using the following Microsoft recommended topology.
    How can I best isolate (by security means) the Front-End from my internal network and my Back-End cluster? Should I put the Front-End in a VLAN or just use a cross cable between the Front-End and the ISA? What does Microsoft recommend by this sketch?

    Here is want I think I should do:

    Any help will be appropriated.


  • #2
    Re: Implmentation of OWA and RPC over HTTPS

    nice start wth the drawing. planning on paper is just good practice!

    1. the cluster will not be affected by the addition of a FE server. after you check the box to designate the front-end, you will have to reboot the server for the changes to take effect. the back-end(s) will be the same...

    and to be safe, do one thing at a time. designate the front-end and reboot, then check the RPC topology button... not both at the same time. you always want to give the cluster time to synchronize when changes are made, like allowing for replication latency...

    you probably have already beat this pafe to death, but go ahead and checkit. if you havent seen it, bookmark it... it will come in handy.
    Considerations When Deploying a Front-End and Back-End Topology

    2. hmmm. i dont know if you really want to 'isolate' your front-end per say... but there are steps you can take to secure and encrypt traffic between the front end and back. there are several walk-thrus and threads about that here...
    basically, you need to staticly set the ports utilized between the FE<->BE. then, create an IPSec policy identifying the (in your case) the cluster address and the front end. this needs to be done both ways, for communication coming and going... stop the unneeded services on the front end and set them to manual or disabled, remove the mail store, and tell the Fe to stop public folder referals....
    im sure ive missed a buttload of things, but it just cause d. Petris post on the site is much easier to read and follow. did i mention it has pictures? heehee...

    i hope you dont mean that you want to deploy your FE into the DMZ. that would be a shame... remember that a FE server is stil a domain member, and to remain a domain member you will need some pretty important ports open... this in itself is a security risk, so imo (and lots of others here):
    securing a network by placing a server in the DMZ is one step foward, two steps back. its oxymoronic in design... if you wouldnt put your workstation in the DMZ, dont put your server there.

    isolation via a separate vlan isnt a bad idea, but maybe i say that because that is how mine is setup.

    we also have policies for access to the front end. i utilize an ironport mail gateway appliance, so my front end is only there for OWA and activesync pocketpcs. the firewall will not allow any connections to the backend directly, so that traffic can be forced thru an appliance route and get scaned and whatever...

    hope that helps you some... its late, so sorry if anything sounded retarded. catch ya tomorrow.
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...


    • #3
      Re: Implmentation of OWA and RPC over HTTPS

      Hey again, thanks for the reply.

      I have few questions in addition to your reply

      Since I am preparting a virtual enviroment for this:

      1. I want a quick "get back" procedure, so I still want the option that the clients from the internal network can connect directly to the back-end servers without being depend on the FE server. I don't want the process of implementing the solution to interfear with the working environment. After I get the FE <-> BE environment working correctly and stable I will consider to refer internal clients to the FE server. Getting back after installing the FE and settings the cluster to BE is just setting the BE to not be apart of RPC and HTTPS environment and delete the FE from the exchange DB? Are there any other points?

      2. The cluster is configurated to relay SMTP traffic to a seperated mail relay (that filter content). Users who will use the Front-End services from the Internet will continue to to refer SMTP traffic to the MAIL relay (just as it is now)? As I understand from the MS documenation, the FE server is just an IIS server with Exchange connection to the BE, so outgoing traffic will continue to relay to the seperated content filter (just as it is now)?

      3. Regarding the FE installation, what should I do first? Set the cluster as a BE and then install the FE server? How can I set the FE not to store mailbox's?
      In short, do you know any documented installation of step by step (even if not bit by bit)? I searched the site but I haven't found something interested other then how to publish OWA in ISA firewall, which is a small part of the whole procedure.
      If you can list, or refer me to a site you know (or used) for all the whole procedure, even in highlights it will be great

      4. By the sketch I drawen before (MSPAINT is free ) if i will put the FE on a VLAN inside our network, who will do the routing? Who is doing the routing in your FE VLAN? you got dedicated VLAN for the FE?
      This is something which I still don't understand. In the MS recommended sketch, they put the FE on the internal network, did they recommend that it shouldn't be seperated inside the Internal network?

      Much thanks!



      • #4
        Re: Implmentation of OWA and RPC over HTTPS

        1. i think i see what your getting at.. like, you dont want to implement something that will take the whole system down to undo...
        that shouldnt be a problem. the front end can be moved around, brought up and down, and even deleted with ADSI and it wont have any effect on the mail flow, assuming you dont route all the mail thru the FE.

        work on getting the FE and OWA working. once this is configured to your liking, then work on the RPC. i only say this because the front end switch wont effect the BE, but i dont know about the RPC topology button... maybe someone else will chim in with some recommendations on that... but the above is how i did it, and it worked fine. i actually went thru 3 front end servers and never had to stop, reboot, or interrupt any mail flow. i created on on an existing webserver (which hosed the my whole plan) and i had to start over... i just used ADSI and deleted the hosed server and it disappeared from my System Manager and i went on to the next one...

        2. i dont know microsofts offical answer, but i think that is a valid statement. the front-end just handles requests from the internet (or internal) to the back-end. it also handles the SSL decryption for the site, relieving the chore from the BE.

        3. i would set the front end switch first. you need to have OWA up before you start the RPC setup, so might as well do it first... then handle the RPC. if you do it the other way, then changes must be reverted on the back-end prior to continuing if somehting is hosed... with the FE switch, the changes are on the FE, not the BE... but thats just my opinion. maybe someone here has some input on that as well..

        4. i dunno.. im not the network guy. but this is how mine is going... the webservers, the FE, the FTP and the RADIUS all offer a service to the internet, so i have them on a separate VLAN. i suppose all this is handled by the cluster of 4 3750 cisco layer 3 switches... routing is out of my league as far as networking goes. i dont know anything about it besides concepts and theory. or do you man message routing? well, like i said, i use an ironport as my mail gateway... before that i used the FE as the SMTP smarthost... now its the ironport.

        see the attached thumbnail for me visio of the setup i have goin on...
        Attached Files
        its easier to beg forgiveness than ask permission.
        Give karma where karma is due...


        • #5
          Re: Implmentation of OWA and RPC over HTTPS

          Thanks for the detailed help! You are a life saver

          Still one more issue is left unanswered. Maybe you can shade a light on this.
          We want an internal CA (not public), yes I know we have to handle certificate importing, but it saves money.... so as I understand, and correct me if I'm wrong, there are 2 certificates which I need to generate from my internal CA. One for the ISA, and the other for the FE.
          In our case, we got a domain name which is different from the Internet domain. Our inside domain is for example, and our outside domain is If i will create a record on the Internet DNS servers (IP of ISA server) I will able to reach the ISA by it's name - mail, for ex.

          Now the question is: If I install the CA in our internal domain -, under what name I should generate the ISA certificate to make it valid when I import them to clients? Since the ISA is not apart of the internal domain and it must be accessed using the Internet domain - or fullname - (Clients will access from the Internet).

          If you can explain this issue it will be great!
          Last edited by syslog; 11th October 2007, 18:53.


          • #6
            Re: Implmentation of OWA and RPC over HTTPS

            i really wish i could help you here, but i have no experience with ISA server.

            i could speculate (i was gonna, but i dont wanna look too silly) but instead ill just let someone here answer that one. we have quite a few members that are very good with ISA server...

            as far as the CA, i ran a CA and used self-signed certs till just about a month ago. i didnt find it hard to manage or maintain. and it was saving us like 4K a server... i work for a govn agency, and it seems like we get charged a buttload more than most private organizations...

            i guess they see government and they figure they can charge us twice as much.

            good luck on the rest. i hope i helped you out some...

            its easier to beg forgiveness than ask permission.
            Give karma where karma is due...


            • #7
              Re: Implementation of OWA and RPC over HTTPS

              On the argument about SSL certificates - I never use an internally generated certificate for this feature.
              It doesn't really save you money - it does if you only use Verisign's overpriced certificates. However when you can get a certificate that is trusted by Windows for US$20 - US$60 depending on where you look, the "saving" doesn't seem very great compared to the hassle of getting it to work.
              I have done lots of work with clients who spend hours getting this feature to work with home grown certificates. Come in, put a commercial certificate in place and have it working in less than 30 minutes.

              Remember with frontend servers that they should always be the same or higher than the backend servers in versions. That includes major (service pack) and minor. If the backend servers were SP1 and then went to Sp2, then you should install the Exchange service packs on the frontend server in that order.

              A frontend server cannot store mailboxes. Once you have made it a frontend server no mailboxes will be stored on it. If there are mailboxes on the server then you cannot make it a frontend.

              You should not be looking to isolate the frontend server in any way. Frontend servers should NOT be deployed for security reasons. They are there to aid load and provide a single point of entry. If you want to put something in between the Exchange servers and the internet then use ISA - that is what it is designed for.

              Simon Butler
              Exchange MVP

              More Exchange Content:
              Exchange Resources List:
              In the UK? Hire me:

              Sembee is a registered trademark, used here with permission.