• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion of FE/BE Exchange Server DMZ article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion of FE/BE Exchange Server DMZ article Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion of FE/BE Exchange Server DMZ article - 17.May2004 3:55:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the FE/BE Exchnage DMZ article over at http://www.isaserver.org/articles/2004dmzfebe.html.

Thanks!
Tom

[ May 17, 2004, 03:41 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion of FE/BE Exchange Server DMZ article - 17.May2004 5:45:00 AM   
bbroadfoot

 

Posts: 20
Joined: 23.Mar.2004
From: New Zealand
Status: offline
Hi Tom,

Just a quick comment on a very thorough article on this implementation.

The "Planning an Exchange 2003 Messaging System" (which can be found at Planning an Exchange 2003 Messaging System as a downloadable Word Document) documentation states that this is no longer the recommended approach (having the Front-End Exchange Server in the DMZ). In a nutshell it says that the Front-End Servers should be bought back into 'Internal Corporate' network and the Front-End accessed via 443 (with an ISA Server in between mind!).

Just a thought and I would be interested in others interpretations/experiences of the above document as well as yours.

Regards,
Bart

(in reply to tshinder)
Post #: 2
RE: Discussion of FE/BE Exchange Server DMZ article - 17.May2004 5:59:00 AM   
bbroadfoot

 

Posts: 20
Joined: 23.Mar.2004
From: New Zealand
Status: offline
Hi Tom,

I'll correct myself before anyone else does!

On Page 63 of the document it states that 'the best practice alternative to locating your front-end Exchange 20003 servers in the perimeter network' and that ISA Server is used in the Perimeter network and the F-E bought into the internal network.

It goes on to add that it is not recommended to use the Exchange 2003 front-end server in the perimeter network as an RPC proxy.

Personally I believe that that particular chapter (Securing Exchange with ISA Server 2000) is still pertinent to all and well worth a read!

Regards,
Bart

(in reply to tshinder)
Post #: 3
RE: Discussion of FE/BE Exchange Server DMZ article - 17.May2004 6:13:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bart,

Thanks! I know that there are several approaches to this config. I did this article because:

1. A lot of people want to put the FE in the DMZ
2. I wanted to demonstrate the access rules configuration to allow the FE/BE Exchange Servers to communicate through the firewall
3. I've already done a bunch of articles on putting the FE and BE in the Internal network (those are all in the ISA 2000/Exchange Kit)

I'm certainly not saying this is the best way, but there are valid reasons for putting the FE in a DMZ.

Thanks!
Tom

(in reply to tshinder)
Post #: 4
RE: Discussion of FE/BE Exchange Server DMZ article - 20.May2004 4:04:00 PM   
_Trip

 

Posts: 14
Joined: 6.Apr.2004
From: Appleton, WI
Status: offline
Hi Tom,
Great Article. Unfortunately I banged my head against the wall for about a week and a half prior to it's posting getting it to work myself! Then after all is said and done, I attempt to enable RSA security on it.

"No can do!" says RSA, Inc. They do not support the FE/BE config.

Well - long story short - I got the FE in my DMZ now (I re-did the ISA config to ensure that only the necessary ports that you list are configured between the DMZ and the internal network), and RSA security "wrapping" the Forms Authentication through ISA. So a user comes in, gets hit with RSA, then with Forms Authentication and only hitting the FE in the DMZ.

Now, to get RSA to work with the forms authentication because you can only have the one listener active on a website (I defaulted to RSA), I had to disable the "OWA Forms Authentication Filter". What security issues might arise from my doing so? I don't want to open anything up too much, but this was the only way I could get things to function...

I like that config; however, I'm also wondering about your statement regarding best practices. What "is" best practices for publishing the Front-end server? Mind you, I have had this thing configured as an internal server as well and it worked fine - I just thought things might be more secure if the FE were in the DMZ.

Isn't testing fun!??!?! [Wink]

-Tim

(in reply to tshinder)
Post #: 5
RE: Discussion of FE/BE Exchange Server DMZ article - 21.May2004 7:31:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tim,

I haven't messed with RSA, so I can't give you any real insights into it. However, you might want to check the article:

http://isaserver.org/tutorials/2004pubowamobile.html

The FBA adds some security because credentials aren't cached, but I don't think of it as a "must have", just a nice security improvement tweak [Smile]

HTH,
Tom

(in reply to tshinder)
Post #: 6
RE: Discussion of FE/BE Exchange Server DMZ article - 3.Jun.2004 5:55:00 PM   
mhammer

 

Posts: 1
Joined: 3.Jun.2004
From: Houston
Status: offline
After reviewing the ISA documents on this site, the ISA docs and MS's Exchange with ISA white paper, I find the scenario I face is not covered - or least I can't see it. We have hardware firewalls which we cannot circumvent (policy more than technology). Can ISA be used to proxy Exchange calls for OWA, OMA and activesync to a FE on internal corporate network and not be dual-homed (i.e. bypassing hw firewall). What I'd like to see is traffic from Internet pass through hw firewall then to ISA then to another hw firewall then inside to FE. Clear?

Any help would be greatly appreciated.

Mike Hammer

(in reply to tshinder)
Post #: 7
RE: Discussion of FE/BE Exchange Server DMZ article - 4.Jun.2004 1:42:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mike,

You bet! I think I posted an article on publishing OWA using a unihomed Web proxy config. In fact, there's an article in the ISA/Exchange Kit over at www.msfirewall.org/isa2004kits.htm

HTH,
Tom

(in reply to tshinder)
Post #: 8
RE: Discussion of FE/BE Exchange Server DMZ article - 20.Jun.2004 1:37:00 AM   
batmon

 

Posts: 28
Joined: 21.Feb.2004
Status: offline
Can you tell me how to configure my ISA 2004 to make my environment work? This is what we have...

CheckPoint FW set it front with:
Interface 1: external
Interface 2: DMZ
Interface 3: Internal

base on MS's recommendations, I put FE and BE Exchange servers in my Internal interface, and then I put my ISA 2004 in my DMZ. I open up CheckPoint FW traffics to get to my ISA2K4 thru HTTPS, and CheckPoint does the NAT for ISA2K4 between ISA2k4's external IP and its DMZ IP.

What I want is to have my ISA2K4 does the Exchange RPC of HTTPS and SMTP mail relays to FE server.

Is this do-able? Can you tell me what I need to do on ISA2K4 do make this work? I never use ISA product before so step by step will be really helpful. What IS2K4's configurations do I need to do? I guess I pretty much need to open up all the traffics on ISA2K4 and just setup the email OWA stuff, right?

Thank you.

(in reply to tshinder)
Post #: 9
RE: Discussion of FE/BE Exchange Server DMZ article - 20.Jun.2004 8:50:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Batmon,

What is the Checkpoint device for? Do you have a multi-gigabyte Internet connection? If not, I'd dump the checkpoint "firewall".

Once you free yourself of the checkpoint device, you can use the ISA firewall for complete protection using the ISA/Exchange deployment kit docs.

What MS recommendations are you referring to?

Thanks!
Tom

[ June 20, 2004, 08:51 AM: Message edited by: tshinder ]

(in reply to tshinder)
Post #: 10
RE: Discussion of FE/BE Exchange Server DMZ article - 10.Aug.2004 7:52:00 PM   
Guest
Hi Tom,

I have an ISA 2004 setup with three nics.

Nic1: External XXX.XXX.XXX.XXX
Nic2:DMZ 192.168.XXX.XXX
Nic3:Internal 172.16.XXX.XXX

The Internal network is subnetted into hundreds of different vlans.

I tried following what you have in this article, but have failed somewhere. I can get everything working fine, communicating from internal to external, DMZ to external, and external to DMZ. I do not need external to speak to internal. Now my issue is the route connection from DMZ to internal. I can not get anything to pass through here, which is an issue when trying to have a computer domained to a domain (FE exchange) in the DMZ. To rule out an issue with the Vlans and the internal config, I have moved my ISA internal config and one computer that does DNS and AD to the same VLAN on the same switch, but yet still nothing is going through.

As I said, i have my access and firewall rules configured according to this article, but I am out of ideas as to what can be the issue. I have even gone to the extreme of allowing all ports through from DMZ to Internal, but still nothing. The logs are not showing anything that can help me out.

Any assistance you can provide would be appreciated.

Chris

(in reply to tshinder)
  Post #: 11
RE: Discussion of FE/BE Exchange Server DMZ article - 10.Aug.2004 7:55:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Chris,

Have you looked at parts 1 and 2 of my ISA firewalls DMZ article? I think that might help you a lot!

HTH,
Tom

(in reply to tshinder)
Post #: 12
RE: Discussion of FE/BE Exchange Server DMZ article - 18.Feb.2006 3:52:20 PM   
abed11

 

Posts: 1
Joined: 8.Feb.2006
Status: offline
Hello Dr. hinder;
 
Greate Article. Really it is.I implemented it and worked perfectly.
I have one question yet, How to configure Internal clients to connect to the Internet (or the External N/W) in this particular configuration???
 

(in reply to tshinder)
Post #: 13
RE: Discussion of FE/BE Exchange Server DMZ article - 27.May2006 10:22:30 PM   
stefstef

 

Posts: 3
Joined: 20.May2006
Status: offline
Hello All,

With the help of the isa server 2004 book (and the kind help of mr spouseele on this forum) I was able to configure a trihomed ISA network.
I have an internal network on wich I have exchange 2003 server and I have a private adress dmz. The dmz contains a windows 2003 server web edition. I was planning to use it for publishing some sites and owa and keep it a little bit separate from my internal network. What I was not realizing, untill I read this article was, that I need to install exchange as a fe server on the dmz. I thought having IIS on the dmz was enough to publish owa. Before I go on and install a fe exchange I want verify with the pros on this board if I really need this.

From within my internal network I can connect to the owa site that is on my internal network exchange server. And while maybe not the best practice, it would be possible to just publish this owa site on my isa server and be done with. Should I consider this option ?

The reason I am asking is that I run a very small network. I am a developer and have only one mailbox on the exchange server. The reason for having this network is 1.curiosity and 2.having some private networking services at my disposal. On one hand I want to do things properly, but on the other hand I have to deal with my cynical self who keeps saying : "you have one mailbox!!!, do you really need two exchange servers? ... did you woke up this morning and saw a corporation in the mirror ?".

Any advice would be greatly appreciated.






(in reply to abed11)
Post #: 14
RE: Discussion of FE/BE Exchange Server DMZ article - 30.May2006 4:02:17 PM   
waynewhittle

 

Posts: 117
Joined: 21.Apr.2004
From: Cardiff
Status: offline
Hi,

My question relates to publishing the web enrollment site for OWA. We have recently changed from a tri-homed to a Back2Back ISA scenario so I'm having to amend/delete/create new rules on our BE ISA. On top of this we have moved our FE Exchange from our internal network to the perimeter network in between the x2 ISA servers. My question is this:

How do you publish services such as web enrollment from our Enterprise CA located in our internal network behind the BE ISA to the external interface of the FE ISA ?

regards

Wayne

(in reply to stefstef)
Post #: 15
RE: Discussion of FE/BE Exchange Server DMZ article - 21.Jun.2006 9:01:04 AM   
dmcbride

 

Posts: 3
Joined: 23.May2006
Status: offline
Hi Tom,

I went ahead and implemented this exact setup as per your article. With the exception of the host file dns (I went ahead and did the split DNS) - everything is exactly as you had detailed within the article.

I am having an issue getting OWA to work. I have yet to try POP3/IMAP4 access - though OWA is, at the moment, the critical service I need to focus on. With that said, I have not tested externally as our outside DNS changes have not yet propogated - though from what I understand, I should still be able to access internally...

I CAN access OWA via the BE server - no issues here - it is fully functional

The FE server is another story though...
What I am experiencing is as follows: I CAN access the logon window via https://owa.corp.domain.com/exchange - I go ahead and fill in my credentials click OK and from that point on it just sits on "Opening page https://owa.corp.domain.com/exchange..." - After approximately 30-45 seconds it will display the standard "This page cannot be displayed" page. Any idea what I might be missing here? This is eating at me.

Lastly, you mentioned you would have more information concerning IPSEC for securing the connection between the FE and BE at the end of your article - I do not see it. Am I missing something?

Thank you,
Devin

< Message edited by dmcbride -- 21.Jun.2006 8:21:16 PM >

(in reply to tshinder)
Post #: 16
RE: Discussion of FE/BE Exchange Server DMZ article - 21.Jun.2006 9:06:50 PM   
dmcbride

 

Posts: 3
Joined: 23.May2006
Status: offline
RESOLVED!

Working wonderfully now...incase anyone was running into the same issue I was - be sure to check your permissions and verify all the important IIS vdirs are of correct settings - even though I followed Tom's article to the tee - I still had SSL enabled on the BE server on some of the important IIS vdirs - specifically exchange, exchweb, exchweb/bin, public and rpc

I found this post extremely helpful: http://www.mcse.ms/archive76-2005-3-1460700.html

Thank you Tom for the awesome article...I have a really cool and functional FE/BE setup :)

(in reply to dmcbride)
Post #: 17
RE: Discussion of FE/BE Exchange Server DMZ article - 13.Mar.2008 1:30:49 AM   
atsekhanskiy

 

Posts: 3
Joined: 13.Mar.2008
Status: offline
Hi,

I followed the steps described in this document and everything works great, but if I go to OWA FQDN from inside which points to Private IP of Front End Exchange in DMZ I get Basc Authentication Box and would prefer users to get Form Base Authentication just like they get from outside. Is that possible?

(in reply to tshinder)
Post #: 18

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion of FE/BE Exchange Server DMZ article Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts