No announcement yet.

Exchange 2007 Front/Back End Question

  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2007 Front/Back End Question

    The topics is interresting, as i need informations for a FE/BE exchange 2003 server migration. However, i still not find my answer. The replacement of the FE server in the DMZ with the SMTP and OWA roles doesn't seems to be as easy as i expect (or more or less confusing for me )

    If i follow the comments given by everyone here, the EdgeTransport role could be installed on a standalone server in the DMZ. It performs the anti spam, antivirus options and all other roles if my firewall redirect the SMTP port to the Edge server. Of course i need to open some ports between the DMZ and the internal network (25, ADAM service ..).

    For the Exhcnage 2003 OWA service, what is the best solution if i want to keep the same FE/BE functionality in a 2007 server? As the CAS cannot be installed in the DMZ, ISA server seems to be the solution. But am i going to get the same functionality? Is it painful, i mean "impossible to to configure" ?

    All the documentations i found on the internet or informations given in seminars or presentations is all time for big companies with a lot of mailboxes to manage. For small one (less than 100 users), those documentation aren't usefull as those companies didn't have the money for a "one role by server" installation or a cluster installation. The need is focused on the security of their private network, the dependance on communication (emails, faxes, calendar ...). So MY need is to made an exchnage server 2007 working fine and the minimum numbers of server would be welcome. An installation on a single server would be ideal (using LCR, so 2 RAID cards, 4 x 2 Raid 1 HD).
    Does someone had any idea about this ?
    Thanks a lot for the answers. Regards,


  • #2
    Re: Exchange 2007 Front/Back End Question

    I have moved your question in to a separate thread, as you should have opened your own rather than attempted to hijack an existing one.

    The ISA solution is quite straight forward to deploy, although ISA has problems with SAN certificates which is currently causing some headaches for many people.

    If you have more than one Mailbox Server then you ideally need a separate CAS for the ISA server to talk to. The CAS will then talk to the relevant mailbox servers.

    However on small sites (ie less than 250) I really struggle to justify the cost and complexity of Edge and ISA. Edge in my opinion is a waste of time. I can do everything that Edge does for a lot less money - with the exception of aggregated sender white listing - a feature I haven't had so don't miss.
    If the servers are dedicated to Exchange then I see no problem with opening the OWA ports directly to a CAS. IIS 6 and higher has never been directly compromised - it has always been a compromise via another application installed on IIS or due to administrator incompetence.

    When it comes to security, you have to look at what you are protecting. If you are a real target because of what you do, then an attacker will just find another way in. However in reality, most attacks are not after your data, they are after your bandwidth to infect more machines.

    Simon Butler
    Exchange MVP

    More Exchange Content:
    Exchange Resources List:
    In the UK? Hire me:

    Sembee is a registered trademark, used here with permission.