Front end server, must it be Enterprise??

[ianbla]

For the Exchange2k front-end, back-end solution MS say that the front-end must be the Enterprise version. I this true or do MS just want you to spend more money than is needed.

My boss would like to implement OWA in our DMZ but after upgrading our PIX firewall there isn't much money left in the budget, he would like to get away with using Exchange2k rather than Exchange2k Enterpise if possible.

Please help.

Many thanks
Ian.

 

[vkaushik]

The Front End / Back End configuration does require the Enterprise Edition of Exchange. Not much you can do to get around it. We wrote our own Exchange applets in order to avoid having to install another Exchange server just for OWA.

 

[brontosaurus]

actually, Standard Edition can be used as the Back End server, but the Front End must be Enterprise.

 

[webnetwiz]

Get this doc to help you implement the solution.

http://www.microsoft.com/exchange/techinfo/deployment/2000/E2KFrontBack.asp

 

[ianbla]

Hi vkaushik,

Applets, sounds interesting, please tell me more.

If there is a workaround without the need for another Exchange server then I would be interested, very interested.

 

[glynnj]

One alternative is to talk to your firewall provider.

We have an exchange server in our DMZ, access to this server is restricted by the use of a secure ID token.

http://www.rsasecurity.com/products/securid/

This simply means that each user has a secure ID token and a pin number.

When a user needs to access OWA, they can telnet to the firewall, enter their pin number and the number on the secureid token (Which changes every 10 secs). This authenticates them with the firewall, then they can access the email server. We use this method because we only have a small number of remote users and wanted to prevent unauthorised access to our servers. You can also use this method to control access to other servers from external sources - source code server, intranet etc.

Regards,
J

 

[ianbla]

hi glynnj,

Thanks for your post.

I was considering this option, I have just been sent a Trial pack by RSA containing 2 tokens and the Server side software, It all seems very complicated to set up. Did you find it easy to install/configure?

The exchange server in your DMZ, is that the only one or do you have a front-end, back-end setup?

cheers
Ian.

 

[glynnj]

Hi,
Sorry mistake in the earlier post, the exchange server is not in the DMZ but on the private network. The firewall performs a NAT for authorised users to the internal address. We have only one Exchange server.

We have a Checkpoint firewall which is managed by an external security company, we just told them we wanted to implement secure Id's and they set it all up for us.

I guess it depends on what type of firewall you have. Sorry I can't be of more help.
Regards,
Joe

 

[imjbhowe]

We had the same issue with not needing to purchase Enterprise except for the front end / back end. What we ended up doing was running OWA on the Exchange server and NAT'ing to the Exchange server. We only opened 443 and ran OWA over SSL (port 80 is not even opened). It points directly to OWA which has basic authentication enabled. There still is some risk but the only way to access a web page on the server is encrypted and you must have a username/password to even view it (and that transmission is encrypted). It was a cheaper for the SSL cert than it was to upgrade server and cals to enterprise.

 

[ianbla]

I have considered this but The current Exchange Server is also the main file server and I do not really want to weaken the security, I also believe every OWA session takes up a lot of memory on the Server and therefore think a seperate machine to handle OWA would be better.

I am still hoping vkaushik will get back to me on the Aplets solution, we have a team of Integration specialists here in my company who could possible put something together, but projects keep on coming up and taking them out of the office.

 

[Tobez]

the fun of OWA.

I implemented OWA 6 months ago with the front end backend solution, used enterprise on the front and standard on the back. I am now upgradeing the back to enterprise.

I have a managed firewall of which only port 80 is open to the front end and then another firewall inbetween that only allows traffic from the frontend to the backend on 1 ip, i had to open a few ports to allow AD authentication etc but these are only allowed from the frontend ip only.

So far ive not been hacked, But i must say i did not have the frontend solution in at first and within 10mins of me opening port 80 there was a guy from morocco in TFTPing files or trying to off my box hehe, but luckily the managed firewall people spotted it.

Can i just say if you dont look at your firewall logs ( prob not many of us do ) you prob will never know if youve been hacked, ive used checkpoint , netpilots etc and trying to spot a hacker unless you know your ips etc is a bit hard.

 

[ianbla]

Hi Tobez,

The Front-end server that sits in the DMZ, is that a member of the internal domain or does it sit on it's own?

thanks
Ian.