FE and OWA  
Author Message
NQFRobert





PostPosted: Wed Nov 23 13:55:51 CST 2005 Top

Exchange Servers Setup >> FE and OWA

Some questions about FE and OWA

1. Can I setup FE server on my LAN in a trusted network and when its working
in there OK move it to DMZ and open all required ports. All I'm thinking
its easer to install OS join the Domain, install Exchange do all the basic
configs for IIS etc...

2. I want to use SSL to secure data from FE to client and use IPSec to
secure data from FE to BE so dos this mean that my CA server needs to be in
DMZ ie on FE server or in my trusted network.

3. Correct me if I'm wrong here FE needs to be a member of DOMAIN

As you can se here I'm going to use DMZ scenario as ISA is not possible yet
for me .


Thanks for your advice.

Exchange Server35  
 
 
Bharat





PostPosted: Wed Nov 23 13:55:51 CST 2005 Top

Exchange Servers Setup >> FE and OWA 1. Yes, can do this, but repeat: not recommended to put OWA/FE in DMZ. It's
an Exchange server, needs access to DCs/GCs and backend mailbox servers on a
number of ports.
2. If you do put a FE in DMZ, IPSec is the way to go. CA Server only issues
certs, you need to make sure the client can verify the certs. Publish CRLs
at a reachable location. If you already have a webserver in DMZ, that'd be a
good location to publish the CRL (in addition to wherever else you're
publishing it now.. ). And don't place your CA server in the DMZ.
- I would say simply get a cert from a commercial CA if the OWA cert is the
only reason you're setting up a CA. Much more cost-effective given what some
CAs charge these days.
3. FE needs to have Exchange. Exchange cannot be installed on standalone
boxes (boxes that aren't members of the domain).

One secure way is to use something like a SSL appliance/gateway/vpn like
Whale if budget is not a constraint.
--
Bharat Suneja
MCSE, MCT
www.zenprise.com
blog: www.suneja.com/blog
-----------------------------------------




> Some questions about FE and OWA
>
> 1. Can I setup FE server on my LAN in a trusted network and when its
> working in there OK move it to DMZ and open all required ports. All I'm
> thinking its easer to install OS join the Domain, install Exchange do all
> the basic configs for IIS etc...
>
> 2. I want to use SSL to secure data from FE to client and use IPSec to
> secure data from FE to BE so dos this mean that my CA server needs to be
> in DMZ ie on FE server or in my trusted network.
>
> 3. Correct me if I'm wrong here FE needs to be a member of DOMAIN
>
> As you can se here I'm going to use DMZ scenario as ISA is not possible
> yet for me .
>
>
> Thanks for your advice.
>


 
 
Lion





PostPosted: Fri Nov 25 09:46:06 CST 2005 Top

Exchange Servers Setup >> FE and OWA Bharat,

I have installed another Exchange Server in to my organisation today and OWA
its working fine but I cannot start POP3 and IMAP and don't know why both of
them are running fine on the BE Server. The only difference between the FE
and BE I have ticked the box on the FE to say this is a FE Server nothing
else.

My BE its a clustered environment.

Any ideas.




> 1. Yes, can do this, but repeat: not recommended to put OWA/FE in DMZ.
> It's an Exchange server, needs access to DCs/GCs and backend mailbox
> servers on a number of ports.
> 2. If you do put a FE in DMZ, IPSec is the way to go. CA Server only
> issues certs, you need to make sure the client can verify the certs.
> Publish CRLs at a reachable location. If you already have a webserver in
> DMZ, that'd be a good location to publish the CRL (in addition to wherever
> else you're publishing it now.. ). And don't place your CA server in the
> DMZ.
> - I would say simply get a cert from a commercial CA if the OWA cert is
> the only reason you're setting up a CA. Much more cost-effective given
> what some CAs charge these days.
> 3. FE needs to have Exchange. Exchange cannot be installed on standalone
> boxes (boxes that aren't members of the domain).
>
> One secure way is to use something like a SSL appliance/gateway/vpn like
> Whale if budget is not a constraint.
> --
> Bharat Suneja
> MCSE, MCT
> www.zenprise.com
> blog: www.suneja.com/blog
> -----------------------------------------
>
>


>> Some questions about FE and OWA
>>
>> 1. Can I setup FE server on my LAN in a trusted network and when its
>> working in there OK move it to DMZ and open all required ports. All I'm
>> thinking its easer to install OS join the Domain, install Exchange do all
>> the basic configs for IIS etc...
>>
>> 2. I want to use SSL to secure data from FE to client and use IPSec to
>> secure data from FE to BE so dos this mean that my CA server needs to be
>> in DMZ ie on FE server or in my trusted network.
>>
>> 3. Correct me if I'm wrong here FE needs to be a member of DOMAIN
>>
>> As you can se here I'm going to use DMZ scenario as ISA is not possible
>> yet for me .
>>
>>
>> Thanks for your advice.
>>
>
>


 
 
Bharat





PostPosted: Sat Nov 26 10:53:58 CST 2005 Top

Exchange Servers Setup >> FE and OWA Not sure what you mean by "cannot start POP3 and IMAP... "
- Are those services running on the FE? Are the POP3 and IMAP4 virtual
servers running (Check in ESM)?
- If they are, can you telnet to ports 110 (POP3) and 143 (IMAP4)?
- Do you have connectivity from FE to BE server(s)? (*important to check
this if FE is in DMZ or if you're using IPSec between FE/BE)
If yes, you're OK on the FE side.

On the backend cluster:
- do you have POP3 and IMAP4 virtual servers created in the EVS? (Not
created by default in Exchange Server 2003).
- You also need to create cluster resources for each of these.
- Check "Adding IMAP4 and POP3 Resources" in the Admin Guide. Note: POP3 and
IMAP4 services should be set to start manually on each cluster node.
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3AdminGuide/71af5548-6347-46b0-b943-ca43ef230305.mspx
--
Bharat Suneja
MCSE, MCT
www.zenprise.com
blog: www.suneja.com/blog
-----------------------------------




> Bharat,
>
> I have installed another Exchange Server in to my organisation today and
> OWA its working fine but I cannot start POP3 and IMAP and don't know why
> both of them are running fine on the BE Server. The only difference
> between the FE and BE I have ticked the box on the FE to say this is a FE
> Server nothing else.
>
> My BE its a clustered environment.
>
> Any ideas.
>
>


>> 1. Yes, can do this, but repeat: not recommended to put OWA/FE in DMZ.
>> It's an Exchange server, needs access to DCs/GCs and backend mailbox
>> servers on a number of ports.
>> 2. If you do put a FE in DMZ, IPSec is the way to go. CA Server only
>> issues certs, you need to make sure the client can verify the certs.
>> Publish CRLs at a reachable location. If you already have a webserver in
>> DMZ, that'd be a good location to publish the CRL (in addition to
>> wherever else you're publishing it now.. ). And don't place your CA
>> server in the DMZ.
>> - I would say simply get a cert from a commercial CA if the OWA cert is
>> the only reason you're setting up a CA. Much more cost-effective given
>> what some CAs charge these days.
>> 3. FE needs to have Exchange. Exchange cannot be installed on standalone
>> boxes (boxes that aren't members of the domain).
>>
>> One secure way is to use something like a SSL appliance/gateway/vpn like
>> Whale if budget is not a constraint.
>> --
>> Bharat Suneja
>> MCSE, MCT
>> www.zenprise.com
>> blog: www.suneja.com/blog
>> -----------------------------------------
>>
>>


>>> Some questions about FE and OWA
>>>
>>> 1. Can I setup FE server on my LAN in a trusted network and when its
>>> working in there OK move it to DMZ and open all required ports. All I'm
>>> thinking its easer to install OS join the Domain, install Exchange do
>>> all the basic configs for IIS etc...
>>>
>>> 2. I want to use SSL to secure data from FE to client and use IPSec to
>>> secure data from FE to BE so dos this mean that my CA server needs to be
>>> in DMZ ie on FE server or in my trusted network.
>>>
>>> 3. Correct me if I'm wrong here FE needs to be a member of DOMAIN
>>>
>>> As you can se here I'm going to use DMZ scenario as ISA is not possible
>>> yet for me .
>>>
>>>
>>> Thanks for your advice.
>>>
>>
>>
>
>


 
 
Lion





PostPosted: Sun Nov 27 04:31:04 CST 2005 Top

Exchange Servers Setup >> FE and OWA Its all working now, on my FE POP3 and IMAP ware disabled as Services so I
changed them to automatic and now all is working fine.

Thanks.


> Not sure what you mean by "cannot start POP3 and IMAP... "
> - Are those services running on the FE? Are the POP3 and IMAP4 virtual
> servers running (Check in ESM)?
> - If they are, can you telnet to ports 110 (POP3) and 143 (IMAP4)?
> - Do you have connectivity from FE to BE server(s)? (*important to check
> this if FE is in DMZ or if you're using IPSec between FE/BE)
> If yes, you're OK on the FE side.
>
> On the backend cluster:
> - do you have POP3 and IMAP4 virtual servers created in the EVS? (Not
> created by default in Exchange Server 2003).
> - You also need to create cluster resources for each of these.
> - Check "Adding IMAP4 and POP3 Resources" in the Admin Guide. Note: POP3
> and IMAP4 services should be set to start manually on each cluster node.
> http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3AdminGuide/71af5548-6347-46b0-b943-ca43ef230305.mspx
> --
> Bharat Suneja
> MCSE, MCT
> www.zenprise.com
> blog: www.suneja.com/blog
> -----------------------------------
>
>


>> Bharat,
>>
>> I have installed another Exchange Server in to my organisation today and
>> OWA its working fine but I cannot start POP3 and IMAP and don't know why
>> both of them are running fine on the BE Server. The only difference
>> between the FE and BE I have ticked the box on the FE to say this is a FE
>> Server nothing else.
>>
>> My BE its a clustered environment.
>>
>> Any ideas.
>>
>>


>>> 1. Yes, can do this, but repeat: not recommended to put OWA/FE in DMZ.
>>> It's an Exchange server, needs access to DCs/GCs and backend mailbox
>>> servers on a number of ports.
>>> 2. If you do put a FE in DMZ, IPSec is the way to go. CA Server only
>>> issues certs, you need to make sure the client can verify the certs.
>>> Publish CRLs at a reachable location. If you already have a webserver in
>>> DMZ, that'd be a good location to publish the CRL (in addition to
>>> wherever else you're publishing it now.. ). And don't place your CA
>>> server in the DMZ.
>>> - I would say simply get a cert from a commercial CA if the OWA cert is
>>> the only reason you're setting up a CA. Much more cost-effective given
>>> what some CAs charge these days.
>>> 3. FE needs to have Exchange. Exchange cannot be installed on standalone
>>> boxes (boxes that aren't members of the domain).
>>>
>>> One secure way is to use something like a SSL appliance/gateway/vpn like
>>> Whale if budget is not a constraint.
>>> --
>>> Bharat Suneja
>>> MCSE, MCT
>>> www.zenprise.com
>>> blog: www.suneja.com/blog
>>> -----------------------------------------
>>>
>>>


>>>> Some questions about FE and OWA
>>>>
>>>> 1. Can I setup FE server on my LAN in a trusted network and when its
>>>> working in there OK move it to DMZ and open all required ports. All
>>>> I'm thinking its easer to install OS join the Domain, install Exchange
>>>> do all the basic configs for IIS etc...
>>>>
>>>> 2. I want to use SSL to secure data from FE to client and use IPSec to
>>>> secure data from FE to BE so dos this mean that my CA server needs to
>>>> be in DMZ ie on FE server or in my trusted network.
>>>>
>>>> 3. Correct me if I'm wrong here FE needs to be a member of DOMAIN
>>>>
>>>> As you can se here I'm going to use DMZ scenario as ISA is not possible
>>>> yet for me .
>>>>
>>>>
>>>> Thanks for your advice.
>>>>
>>>
>>>
>>
>>
>
>