From: New Zealand
Just a quick comment on a very thorough article on this implementation.
The "Planning an Exchange 2003 Messaging System" (which can be found at Planning an Exchange 2003 Messaging System as a downloadable Word Document) documentation states that this is no longer the recommended approach (having the Front-End Exchange Server in the DMZ). In a nutshell it says that the Front-End Servers should be bought back into 'Internal Corporate' network and the Front-End accessed via 443 (with an ISA Server in between mind!).
Just a thought and I would be interested in others interpretations/experiences of the above document as well as yours.
From: New Zealand
I'll correct myself before anyone else does!
On Page 63 of the document it states that 'the best practice alternative to locating your front-end Exchange 20003 servers in the perimeter network' and that ISA Server is used in the Perimeter network and the F-E bought into the internal network.
It goes on to add that it is not recommended to use the Exchange 2003 front-end server in the perimeter network as an RPC proxy.
Personally I believe that that particular chapter (Securing Exchange with ISA Server 2000) is still pertinent to all and well worth a read!
Thanks! I know that there are several approaches to this config. I did this article because:
1. A lot of people want to put the FE in the DMZ 2. I wanted to demonstrate the access rules configuration to allow the FE/BE Exchange Servers to communicate through the firewall 3. I've already done a bunch of articles on putting the FE and BE in the Internal network (those are all in the ISA 2000/Exchange Kit)
I'm certainly not saying this is the best way, but there are valid reasons for putting the FE in a DMZ.
From: Appleton, WI
Hi Tom, Great Article. Unfortunately I banged my head against the wall for about a week and a half prior to it's posting getting it to work myself! Then after all is said and done, I attempt to enable RSA security on it.
"No can do!" says RSA, Inc. They do not support the FE/BE config.
Well - long story short - I got the FE in my DMZ now (I re-did the ISA config to ensure that only the necessary ports that you list are configured between the DMZ and the internal network), and RSA security "wrapping" the Forms Authentication through ISA. So a user comes in, gets hit with RSA, then with Forms Authentication and only hitting the FE in the DMZ.
Now, to get RSA to work with the forms authentication because you can only have the one listener active on a website (I defaulted to RSA), I had to disable the "OWA Forms Authentication Filter". What security issues might arise from my doing so? I don't want to open anything up too much, but this was the only way I could get things to function...
I like that config; however, I'm also wondering about your statement regarding best practices. What "is" best practices for publishing the Front-end server? Mind you, I have had this thing configured as an internal server as well and it worked fine - I just thought things might be more secure if the FE were in the DMZ.
After reviewing the ISA documents on this site, the ISA docs and MS's Exchange with ISA white paper, I find the scenario I face is not covered - or least I can't see it. We have hardware firewalls which we cannot circumvent (policy more than technology). Can ISA be used to proxy Exchange calls for OWA, OMA and activesync to a FE on internal corporate network and not be dual-homed (i.e. bypassing hw firewall). What I'd like to see is traffic from Internet pass through hw firewall then to ISA then to another hw firewall then inside to FE. Clear?
Can you tell me how to configure my ISA 2004 to make my environment work? This is what we have...
CheckPoint FW set it front with: Interface 1: external Interface 2: DMZ Interface 3: Internal
base on MS's recommendations, I put FE and BE Exchange servers in my Internal interface, and then I put my ISA 2004 in my DMZ. I open up CheckPoint FW traffics to get to my ISA2K4 thru HTTPS, and CheckPoint does the NAT for ISA2K4 between ISA2k4's external IP and its DMZ IP.
What I want is to have my ISA2K4 does the Exchange RPC of HTTPS and SMTP mail relays to FE server.
Is this do-able? Can you tell me what I need to do on ISA2K4 do make this work? I never use ISA product before so step by step will be really helpful. What IS2K4's configurations do I need to do? I guess I pretty much need to open up all the traffics on ISA2K4 and just setup the email OWA stuff, right?
The Internal network is subnetted into hundreds of different vlans.
I tried following what you have in this article, but have failed somewhere. I can get everything working fine, communicating from internal to external, DMZ to external, and external to DMZ. I do not need external to speak to internal. Now my issue is the route connection from DMZ to internal. I can not get anything to pass through here, which is an issue when trying to have a computer domained to a domain (FE exchange) in the DMZ. To rule out an issue with the Vlans and the internal config, I have moved my ISA internal config and one computer that does DNS and AD to the same VLAN on the same switch, but yet still nothing is going through.
As I said, i have my access and firewall rules configured according to this article, but I am out of ideas as to what can be the issue. I have even gone to the extreme of allowing all ports through from DMZ to Internal, but still nothing. The logs are not showing anything that can help me out.
Any assistance you can provide would be appreciated.
Greate Article. Really it is.I implemented it and worked perfectly. I have one question yet, How to configure Internal clients to connect to the Internet (or the External N/W) in this particular configuration???
With the help of the isa server 2004 book (and the kind help of mr spouseele on this forum) I was able to configure a trihomed ISA network. I have an internal network on wich I have exchange 2003 server and I have a private adress dmz. The dmz contains a windows 2003 server web edition. I was planning to use it for publishing some sites and owa and keep it a little bit separate from my internal network. What I was not realizing, untill I read this article was, that I need to install exchange as a fe server on the dmz. I thought having IIS on the dmz was enough to publish owa. Before I go on and install a fe exchange I want verify with the pros on this board if I really need this.
From within my internal network I can connect to the owa site that is on my internal network exchange server. And while maybe not the best practice, it would be possible to just publish this owa site on my isa server and be done with. Should I consider this option ?
The reason I am asking is that I run a very small network. I am a developer and have only one mailbox on the exchange server. The reason for having this network is 1.curiosity and 2.having some private networking services at my disposal. On one hand I want to do things properly, but on the other hand I have to deal with my cynical self who keeps saying : "you have one mailbox!!!, do you really need two exchange servers? ... did you woke up this morning and saw a corporation in the mirror ?".
My question relates to publishing the web enrollment site for OWA. We have recently changed from a tri-homed to a Back2Back ISA scenario so I'm having to amend/delete/create new rules on our BE ISA. On top of this we have moved our FE Exchange from our internal network to the perimeter network in between the x2 ISA servers. My question is this:
How do you publish services such as web enrollment from our Enterprise CA located in our internal network behind the BE ISA to the external interface of the FE ISA ?
I went ahead and implemented this exact setup as per your article. With the exception of the host file dns (I went ahead and did the split DNS) - everything is exactly as you had detailed within the article.
I am having an issue getting OWA to work. I have yet to try POP3/IMAP4 access - though OWA is, at the moment, the critical service I need to focus on. With that said, I have not tested externally as our outside DNS changes have not yet propogated - though from what I understand, I should still be able to access internally...
I CAN access OWA via the BE server - no issues here - it is fully functional
The FE server is another story though... What I am experiencing is as follows: I CAN access the logon window via https://owa.corp.domain.com/exchange - I go ahead and fill in my credentials click OK and from that point on it just sits on "Opening page https://owa.corp.domain.com/exchange..." - After approximately 30-45 seconds it will display the standard "This page cannot be displayed" page. Any idea what I might be missing here? This is eating at me.
Lastly, you mentioned you would have more information concerning IPSEC for securing the connection between the FE and BE at the end of your article - I do not see it. Am I missing something?
Thank you, Devin
< Message edited by dmcbride -- 21.Jun.2006 8:21:16 PM >
Working wonderfully now...incase anyone was running into the same issue I was - be sure to check your permissions and verify all the important IIS vdirs are of correct settings - even though I followed Tom's article to the tee - I still had SSL enabled on the BE server on some of the important IIS vdirs - specifically exchange, exchweb, exchweb/bin, public and rpc
I followed the steps described in this document and everything works great, but if I go to OWA FQDN from inside which points to Private IP of Front End Exchange in DMZ I get Basc Authentication Box and would prefer users to get Form Base Authentication just like they get from outside. Is that possible?