• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Adding FE in DMZ to an existing BE in TRUST

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> Installation >> Adding FE in DMZ to an existing BE in TRUST Page: [1]
Login
Message << Older Topic   Newer Topic >>
Adding FE in DMZ to an existing BE in TRUST - 2.May2006 4:24:06 PM   
enghps1

 

Posts: 14
Joined: 2.May2006
Status: offline
Hi All, I'm looking to add a Front End exchange to an existing standalone BE (e2k3 sp2) in order to take advantage of push-email via WM5, (have been using PPTP over GPRS previously but had various issues with Vodafone). Firstly we do not have ISA and so I want to put the FE in our DMZ/Perimeter network. Apparantly the FE must be joined to the domain but how is this possible when the FE is in the DMZ/Permiter using diff subnets? Would RRAS provide everything required for domain authentication? And if the FE is used for WM5 authentication is an RRAS VPN also required between the FE and BE or is this overkill? The net seems pretty sparse when it comes to RRAS literature and being a relative RRAS newbie I'm left scratching my head. If anyone has installed something similar and can assist or direct me to any resource it would be very much appreciatted - Thanks
Post #: 1
RE: Adding FE in DMZ to an existing BE in TRUST - 2.May2006 9:13:50 PM   
mark@mvps.org

 

Posts: 6811
Joined: 9.Jun.2004
From: Philadelphia PA
Status: offline
Right.
Absolutley no. Do not put the FE in a DMZ.
Just publish 443 from the firewall to the FE and put the FE in the internal network.

No, you do not need the RRAS VPN, it would be pointless.



_____________________________

Mark Arnold (Exchange MVP)
List Moderator

(in reply to enghps1)
Post #: 2
RE: Adding FE in DMZ to an existing BE in TRUST - 3.May2006 2:32:23 PM   
enghps1

 

Posts: 14
Joined: 2.May2006
Status: offline
Thanks, this would make installation much simpler but a lot of literature still recomends the FE resides in the DMZ - even microsoft's FE/BE Topology guide says this:
 http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3FrontBack/9713985e-8847-4104-be02-6d00af9243e1.mspx?mfr=true http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3FrontBack/5047c17e-795b-4e23-b5f5-8912b2017ded.mspx?mfr=true That said, having the FE in the Trust rather than DMZ could still provide SSL and kerberos security.  I know there is no definitve solution (MS obviously recomend ISA) but anymore light you could throw on this would really help me determine the best way to go, or at least help me rule out the very long-winded I was planning. Thanks again  

(in reply to mark@mvps.org)
Post #: 3
RE: Adding FE in DMZ to an existing BE in TRUST - 5.May2006 8:14:56 PM   
enghps1

 

Posts: 14
Joined: 2.May2006
Status: offline
Well, Ive put the FE in the internal network using SSL and all is good. I hadn't considered this way of doing things and its a shame I hadnt read Henrik's book "Securing E2K3 and OWA" any sooner. At some point I plan to have a stab at IPSEC between the FE in the DMZ and the BE on the internal network though as this is the most secure option. Thanks again for the advice, I can now see RRAS was taking me up a road I didnt need to go!

(in reply to enghps1)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> Installation >> Adding FE in DMZ to an existing BE in TRUST Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter