Adding FE in DMZ to an existing BE in TRUST (Full Version)

All Forums >> [Microsoft Exchange 2003] >> Installation



Message


enghps1 -> Adding FE in DMZ to an existing BE in TRUST (2.May2006 4:24:06 PM)

Hi All, I'm looking to add a Front End exchange to an existing standalone BE (e2k3 sp2) in order to take advantage of push-email via WM5, (have been using PPTP over GPRS previously but had various issues with Vodafone). Firstly we do not have ISA and so I want to put the FE in our DMZ/Perimeter network. Apparantly the FE must be joined to the domain but how is this possible when the FE is in the DMZ/Permiter using diff subnets? Would RRAS provide everything required for domain authentication? And if the FE is used for WM5 authentication is an RRAS VPN also required between the FE and BE or is this overkill? The net seems pretty sparse when it comes to RRAS literature and being a relative RRAS newbie I'm left scratching my head. If anyone has installed something similar and can assist or direct me to any resource it would be very much appreciatted - Thanks [8|]




mark@mvps.org -> RE: Adding FE in DMZ to an existing BE in TRUST (2.May2006 9:13:50 PM)

Right.
Absolutley no. Do not put the FE in a DMZ.
Just publish 443 from the firewall to the FE and put the FE in the internal network.

No, you do not need the RRAS VPN, it would be pointless.





enghps1 -> RE: Adding FE in DMZ to an existing BE in TRUST (3.May2006 2:32:23 PM)

Thanks, this would make installation much simpler but a lot of literature still recomends the FE resides in the DMZ - even microsoft's FE/BE Topology guide says this:
 http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3FrontBack/9713985e-8847-4104-be02-6d00af9243e1.mspx?mfr=true http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3FrontBack/5047c17e-795b-4e23-b5f5-8912b2017ded.mspx?mfr=true That said, having the FE in the Trust rather than DMZ could still provide SSL and kerberos security.  I know there is no definitve solution (MS obviously recomend ISA) but anymore light you could throw on this would really help me determine the best way to go, or at least help me rule out the very long-winded I was planning. Thanks again [8|] 




enghps1 -> RE: Adding FE in DMZ to an existing BE in TRUST (5.May2006 8:14:56 PM)

Well, Ive put the FE in the internal network using SSL and all is good. I hadn't considered this way of doing things and its a shame I hadnt read Henrik's book "Securing E2K3 and OWA" any sooner. At some point I plan to have a stab at IPSEC between the FE in the DMZ and the BE on the internal network though as this is the most secure option. Thanks again for the advice, I can now see RRAS was taking me up a road I didnt need to go! [:D]




Page: [1]