Announcement

Collapse
No announcement yet.

Exchange Front End Server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange Front End Server

    I am currently replacing an older Exchange 2003 Box with a new virtual one and will be moving all the mailboxes etc over

    I was thinking of using the old box as a front end server to servie OWA, rpc/https etc

    Would this be an acceptable solution, I only have 120 users on our network and would put the box to use and save me having to redo certificates etc and would I be able to do all my email scanning, third party exclaimers etc onto the front end server as well

    thanks for any advice

  • #2
    Re: Exchange Front End Server

    Its always good to expose the front end server publicy than the whole mailbox server.

    Put your front End in DMZ and the BE in local network.

    As far as your 3rd party exclaimers are concerend for that i guess you need to make sure your FE is acting as gateway to route the mail outside.
    ________
    4 star military surplus grenade
    Last edited by Dks; 13th March 2011, 00:19.
    Rgds,

    Dks
    MCP E2K3 & MCITP E2K7
    MCITP Enterprise Win2k8

    Comment


    • #3
      Re: Exchange Front End Server

      Originally posted by Dks View Post
      Put your front End in DMZ and the BE in local network.
      Don't do this.
      It does nothing to enhance your security, it only reduces it.
      No one has given me a good reason why this is a good idea - DKS if you can then I am all for hearing it.
      However I can give you plenty of reasons why it is a bad idea.
      http://blog.sembee.co.uk/archive/2006/02/23/7.aspx

      Simon.
      --
      Simon Butler
      Exchange MVP

      Blog: http://blog.sembee.co.uk/
      More Exchange Content: http://exchange.sembee.info/
      Exchange Resources List: http://exbpa.com/
      In the UK? Hire me: http://www.sembee.co.uk/

      Sembee is a registered trademark, used here with permission.

      Comment


      • #4
        Re: Exchange Front End Server

        Thanks sembee, that was an interestng read
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: Exchange Front End Server

          Originally posted by Sembee View Post
          Don't do this.
          It does nothing to enhance your security, it only reduces it.
          No one has given me a good reason why this is a good idea - DKS if you can then I am all for hearing it.
          However I can give you plenty of reasons why it is a bad idea.
          http://blog.sembee.co.uk/archive/2006/02/23/7.aspx

          Simon.
          Its funny you say this iv known a ton of admins who think its a great idea to put there mail servers in a DMZ as though it adds more security. But then you have to open a ton of ports on your firewall to talk to the backend (bearing in mind sometimes there on the same domain!!) which renders the firewall completely useless.

          Comment


          • #6
            Re: Exchange Front End Server

            Originally posted by scurlaruntings View Post
            Its funny you say this iv known a ton of admins who think its a great idea to put there mail servers in a DMZ as though it adds more security. But then you have to open a ton of ports on your firewall to talk to the backend (bearing in mind sometimes there on the same domain!!) which renders the firewall completely useless.
            There are many admins and some network security people who seem to think that putting a server in the DMZ makes it more secure, like it is some kind of magic place.
            As I think I said in my blog posting, when it comes to Exchange and I am asked to do that I simply turn round and ask for port 135 to be open. If the network security person allows that then they are simply not up to the job.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: Exchange Front End Server

              Sembee,

              check out this article..why to put FE in DMZ :-http://technet.microsoft.com/en-us/library/aa996948(EXCHG.65).aspx
              ________
              TOYOTA 7M-GE HISTORY
              Last edited by Dks; 13th March 2011, 00:20.
              Rgds,

              Dks
              MCP E2K3 & MCITP E2K7
              MCITP Enterprise Win2k8

              Comment


              • #8
                Re: Exchange Front End Server

                Originally posted by Dks View Post
                Sembee,

                check out this article..why to put FE in DMZ :-http://technet.microsoft.com/en-us/library/aa996948(EXCHG.65).aspx
                I wouldnt pay too much attention to that. There was a time when MS advised you build a AD domain with a root domain name. That practice has gone by the way for obvious reasons. The suggestion to add a FE in a DMZ adds zero resilience. Whats the point in the firewall when you have to open nearly 10 ports for it to communicate with the BE/AD/GC/DNS on your internal LAN bearing in mind they'll more than likely be on the same domain which is even worse. Once the FE is compromised the route to the BE will be even more elementry so wheres the added security?

                Comment


                • #9
                  Re: Exchange Front End Server

                  Originally posted by Dks View Post
                  Sembee,

                  check out this article..why to put FE in DMZ :-http://technet.microsoft.com/en-us/library/aa996948(EXCHG.65).aspx
                  Someone usually brings up that four year old article.
                  The fact that Microsoft have provided instructions on how to do it doesn't make it a good idea. The issues with in in Microsoft's own article should be enough of a warning to anyone that it is a bad idea.

                  A lot of Microsoft's documentation is written because there is a demand for it. There are enough people who think that putting a frontend server in to a DMZ is a good idea and asked for guidance that Microsoft provided those instructions. It has a lot caveats, which many people seem to simply ignore.

                  You have to look at WHY you are placing the server in to a DMZ.
                  If it is because of some hard and fast policy that no server inside can be seen accessed directly from outside, then it fits - but ignores the fact that the server is effectively an internal server, just with a firewall between the servers, and the relevant holes allowed through.
                  If is because there is some kind of belief that it will increase the security of the network, then I challenge anyone to tell me why.
                  As far as I am concerned, putting a frontend server in the DMZ is like buying the best lock for your frontdoor and then hiding the key under the mat.

                  What should also be noted is that Microsoft do NOT support any part of Exchange 2007 in a DMZ, other than the Edge role, which is designed to go on a workgroup machine. Rather than have the ambiguity of it working, but ignoring the security aspects, there is now simply a policy that it isn't supported and hasn't been tested. Doesn't stop people from asking if it can be done, and the same argument coming up, but Microsoft not supporting it does rather knock the idea on the head.

                  Simon.
                  Last edited by Sembee; 18th July 2009, 15:22.
                  --
                  Simon Butler
                  Exchange MVP

                  Blog: http://blog.sembee.co.uk/
                  More Exchange Content: http://exchange.sembee.info/
                  Exchange Resources List: http://exbpa.com/
                  In the UK? Hire me: http://www.sembee.co.uk/

                  Sembee is a registered trademark, used here with permission.

                  Comment


                  • #10
                    Re: Exchange Front End Server

                    Yes Microsoft doesnot support Exchange 2007 CAS in DMZ..But there is whole together different reason for that. http://blogs.msdn.com/brad_hughes/

                    So you mean to say that it's good to expose your MAILBOX server than the FE???????
                    ________
                    FORD EIFEL PICTURE
                    Last edited by Dks; 13th March 2011, 00:20.
                    Rgds,

                    Dks
                    MCP E2K3 & MCITP E2K7
                    MCITP Enterprise Win2k8

                    Comment


                    • #11
                      Re: Exchange Front End Server

                      Originally posted by Dks View Post
                      So you mean to say that it's good to expose your MAILBOX server than the FE???????
                      What does it matter whether it is an MBX or a frontend server?
                      Both of them are members of the domain, that means if the server is compromised then the attacker can walk straight in to the network because the firewall is basically bypassed.

                      I say it again - no one has given me a good reason for putting a frontend server in to a DMZ.

                      I have no problems with exposing Exchange to the internet - I only open two ports - 443 and 25. If the server is dedicated to Exchange then it is asecure combination. IIS 6 and 7 have never been compromised, the comprimise has always been through something installed on IIS that has been poorly coded. The actual IIS is secure.

                      Simon.
                      --
                      Simon Butler
                      Exchange MVP

                      Blog: http://blog.sembee.co.uk/
                      More Exchange Content: http://exchange.sembee.info/
                      Exchange Resources List: http://exbpa.com/
                      In the UK? Hire me: http://www.sembee.co.uk/

                      Sembee is a registered trademark, used here with permission.

                      Comment


                      • #12
                        Re: Exchange Front End Server

                        Originally posted by Dks View Post
                        Yes Microsoft doesnot support Exchange 2007 CAS in DMZ..But there is whole together different reason for that. http://blogs.msdn.com/brad_hughes/
                        I think the actual link you wanted was this.
                        http://blogs.msdn.com/brad_hughes/ar...s-servers.aspx
                        --
                        Simon Butler
                        Exchange MVP

                        Blog: http://blog.sembee.co.uk/
                        More Exchange Content: http://exchange.sembee.info/
                        Exchange Resources List: http://exbpa.com/
                        In the UK? Hire me: http://www.sembee.co.uk/

                        Sembee is a registered trademark, used here with permission.

                        Comment

                        Working...
                        X