Announcement

Collapse
No announcement yet.

2003 FE server as an extra layer of security

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2003 FE server as an extra layer of security

    We are running Ex2003 Ent in a 2 node cluster.

    Our management staff is pushing hard for us to allow external access to email via OWA.

    When we eventually setup OWA for external access we will of course purchase a public SSL Certificate to encrypt the traffic.

    My question is this.

    What are the benefits, from a security standpoint, of adding a FE server?

    Should the FE server be in a DMZ? (I would think so)

    When we've opened up ports on our firewall in the past we've been lucky enough to have a list of source networks so when we open those ports we only open them to specific networks. Allowing external access to OWA will involve opening the port to anyone. Not something I look forward to.

    How have you implemented external access to OWA in your own organizations?
    CCA: XenApp 5.0

  • #2
    Re: 2003 FE server as an extra layer of security

    We have 2 FE's that are network load balanced. We use ISA Server 2006 to publish OWA.

    Comment


    • #3
      Re: 2003 FE server as an extra layer of security

      Originally posted by bill_sffcu View Post
      We are running Ex2003 Ent in a 2 node cluster.

      Our management staff is pushing hard for us to allow external access to email via OWA.

      When we eventually setup OWA for external access we will of course purchase a public SSL Certificate to encrypt the traffic.

      My question is this.

      What are the benefits, from a security standpoint, of adding a FE server?

      Should the FE server be in a DMZ? (I would think so)

      When we've opened up ports on our firewall in the past we've been lucky enough to have a list of source networks so when we open those ports we only open them to specific networks. Allowing external access to OWA will involve opening the port to anyone. Not something I look forward to.

      How have you implemented external access to OWA in your own organizations?
      Good starting point can be found here
      Hope this helps!!!

      Comment


      • #4
        Re: 2003 FE server as an extra layer of security

        I have the FE server sitting on the same network as the BE. Firewall port opened to pass any SSL traffic to it.We haven't had any problems with opening the port to this server.

        Comment


        • #5
          Re: 2003 FE server as an extra layer of security

          Thanks for the link pardal.

          The article was fairly clear, putting Exchange (even a FE) server in a DMZ does not make sense.

          Looking through his article I see no real reason, for security purposes, for installing a FE server into our environment. Our current exchange server does just fine, in fact it's a bit overkill for our environment, which means we're not concerened at all in taking some of the load of that server. It could easily handle an environment several times our current size.

          Aside from offloading some of the workload, routing clients to the right mailbox server why would I install a FE server?

          According to Sembees article there are apparently no security benefits to have a FE server. If it gets compromised it's game over anyway. Why not just install an SSL Cert on our current exchange server and forward HTTPS traffic to it?

          So my question is; in an Exchange 2003 environment where you already have OWA running internally should you add an FE server just because you're going to open OWA up to internet users and you don't want them connecting directly back to your mailbox server? Every time you punch a hole in your firewall you're taking a risk, how do I mitigate this risk?

          I've been looking all over for a straight answer on this. Sembees article is the most straighforward article yet.

          Maybe I just don't want to allow OWA from the internet.
          CCA: XenApp 5.0

          Comment


          • #6
            Re: 2003 FE server as an extra layer of security

            IMHO, the risks are comparable. With a DMZ FE you allow HTTPS to the FE server and then you have to allow several ports from the FE to the BE. With a strictly BE you allow HTTPS to the BE. With a FE if someone hijacks the FE they have probably also hijacked the BE because of the required ports between the two being open. Personally I don't see much, if any, security benefit to having a FE in the DMZ. We run a fairly large Exchange environment (1,200 users and 1 terabyte of email) and we use a single server and allow HTTPS and SMTP to this server through the firewall. IMHO, the only legitimate reason for using a FE is if you have multiple BE servers.

            Comment


            • #7
              Re: 2003 FE server as an extra layer of security

              Thanks Joe. The more research I do the more it seems that's the case.
              CCA: XenApp 5.0

              Comment

              Working...
              X