0

What's the Purpose of Exchange Frontend Servers in this configuration?

Config: SMB with single Exchange backend cluster. ISA server nodes with Published OWA/RPC/etc web sites. The cluster is located in a colo and users worldwide connect to it via OWA or RPC over HTTPS. Postini has the primary MX record and sends mail through the ISA server to the Exchange server.

So... what is the purpose of a or mutiple frontend servers in a configuration such as this? Is there any? I can't think of any so I thought I would double check and ask.

Aaron Wurthmann
  • 283
  • 3
  • 8

2 Answers2

2

Well the front end server should be in a DMZ as you don't want outside internet traffic connecting directly to your Exchange server. The whole idea of a DMZ is to have no connection to the internal network. But with that setup you have a setup a pinhole access from the front end to the Exchange server. Still much more secure then having IIS and related running on your Exchange server. Also has to do with performance and load balancing. This might not be all the reasons, but its a good start...

xeon
  • 3,796
  • 17
  • 18
  • @xeon: thanks for the response. I think you perhaps didnt read the "config" section and just read the title though. The backend servers would not be in the DMZ. External access via HTTPS is granted only through the ISA servers and SMTP traffic through Postini. Can you think of another reason having a frontend would buy me anything in this setup? – Aaron Wurthmann Jul 21 '09 at 20:53
  • Thats through Postini and ALSO through the ISA servers. – Aaron Wurthmann Jul 21 '09 at 20:55
  • You should specify which version of Exchange you're running. Ex2K3 and Ex2k7 have very different architectures. I'm guessing you're on Exchange 2003, is that right? – Trondh Sep 01 '09 at 16:28
0

Alright I have determined that through the non-answer of this post that there is no "need" for a frontend server in this configuration. But one of the IMs I got on this subject from my buddy Jeremy pointed out something I had over looked...

In this config a frontend server would provide close to no security advantage, you would have to make your way through the stateful and stateless firewalls and load balancers before talking to IIS 7 (which is pretty rock solid as is, even without the stateful and application firewalls). BUT another layer or another group of machines is another layer of security, albeit security through obscurity. So though minimal the frontend adds "some" obscurity/security.

I'm still not decided what I will do as I kind of feel like all the ports that get opened for a frontend on the DMZ to talk to the backend and the DCs/GCs are enough for someone to make their next hop, after all they just made it through at least 3 layers of security making it through another, one that has half a dozen ports and at least 3 protocols open, isn't the difficult part once you are that far.

Aaron Wurthmann
  • 283
  • 3
  • 8