We are currently running exchange 2003 on a single box that is on our internal network. We are going to be replacing the hardware very soon. I am thinking that it would be a good idea to switch from having a single server to the front end - back end server topology for security reasons. We do use OWA with forms based authenication and also have windows mobile phones that use active sync. I have never configured a front end - back end setup before and I am not sure how difficult it is to implement. I am also wondering if we need to purchase two licenses of the exchange server software to be able to setup the front - end back - end setup. Any info you could give about moving from single server to front/back end setup would be great. Thanks
James wrote: > We are currently running exchange 2003 on a single box that is on our > internal network. We are going to be replacing the hardware very > soon. I am thinking that it would be a good idea to switch from > having a single server to the front end - back end server topology > for security reasons. We do use OWA with forms based authenication > and also have windows mobile phones that use active sync. I have > never configured a front end - back end setup before and I am not > sure how difficult it is to implement. I am also wondering if we need > to purchase two licenses of the exchange server software to be able > to setup the front - end back - end setup. Any info you could give > about moving from single server to front/back end setup would be > great. > Thanks For a single server shop, a FE/BE config is way overkill, if you ask me. You can secure your existing server with a decent firewall appliance and/or ISA. But yes, would need another license for Windows Server and Exchange Server alike. See http://support.microsoft.com/kb/887104/en-us for more info. I don't think you need this, honestly.
I was figuring that if some how someone did get access to the front end server that they would still be separated from our internal network through the firewall. I know we would need a few ports open to communicate between front end and back end servers, but that is far better than being directly on the internal network. If someone would get access to our current exchange server then they have access to the internal network since it is internal. We do have an IPS but since all traffic is SSL it is encrypted when it goes through the IPS. I was also thinking we could use a host based IPS on that server since it would see the traffic after it is decrypted. Is there a better way to do the setup? What do you suggest? Thanks "Lanwench [MVP - Exchange]" wrote in message news:eZ2Ny74BJHA.4368@TK2MSFTNGP06.phx.gbl... > James wrote: >> We are currently running exchange 2003 on a single box that is on our >> internal network. We are going to be replacing the hardware very >> soon. I am thinking that it would be a good idea to switch from >> having a single server to the front end - back end server topology >> for security reasons. We do use OWA with forms based authenication >> and also have windows mobile phones that use active sync. I have >> never configured a front end - back end setup before and I am not >> sure how difficult it is to implement. I am also wondering if we need >> to purchase two licenses of the exchange server software to be able >> to setup the front - end back - end setup. Any info you could give >> about moving from single server to front/back end setup would be >> great. >> Thanks > > For a single server shop, a FE/BE config is way overkill, if you ask me. > You can secure your existing server with a decent firewall appliance > and/or ISA. > > But yes, would need another license for Windows Server and Exchange > Server alike. See http://support.microsoft.com/kb/887104/en-us for more > info. I don't think you need this, honestly. >
Using ISA Server 2006 or some other web publishing appliance is a far better way to go than opening the myriad ports in your DMZ required to put a front-end server there. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "James" wrote in message news:%23SRkMR6BJHA.1628@TK2MSFTNGP02.phx.gbl... >I was figuring that if some how someone did get access to the front end >server that they would still be separated from our internal network through >the firewall. I know we would need a few ports open to communicate between >front end and back end servers, but that is far better than being directly >on the internal network. If someone would get access to our current >exchange server then they have access to the internal network since it is >internal. We do have an IPS but since all traffic is SSL it is encrypted >when it goes through the IPS. I was also thinking we could use a host based >IPS on that server since it would see the traffic after it is decrypted. Is >there a better way to do the setup? What do you suggest? > > Thanks > > > > "Lanwench [MVP - Exchange]" > wrote in > message news:eZ2Ny74BJHA.4368@TK2MSFTNGP06.phx.gbl... >> James wrote: >>> We are currently running exchange 2003 on a single box that is on our >>> internal network. We are going to be replacing the hardware very >>> soon. I am thinking that it would be a good idea to switch from >>> having a single server to the front end - back end server topology >>> for security reasons. We do use OWA with forms based authenication >>> and also have windows mobile phones that use active sync. I have >>> never configured a front end - back end setup before and I am not >>> sure how difficult it is to implement. I am also wondering if we need >>> to purchase two licenses of the exchange server software to be able >>> to setup the front - end back - end setup. Any info you could give >>> about moving from single server to front/back end setup would be >>> great. >>> Thanks >> >> For a single server shop, a FE/BE config is way overkill, if you ask me. >> You can secure your existing server with a decent firewall appliance >> and/or ISA. >> >> But yes, would need another license for Windows Server and Exchange >> Server alike. See http://support.microsoft.com/kb/887104/en-us for more >> info. I don't think you need this, honestly. >> > >
