Take advantage of front-end/back-end servers, firewalls, and passwords
Two of the biggest complaints about Exchange Server 5.5's Outlook Web Access (OWA) were that it wasn't very secure or scalable. Significant security problems still exist in OWA in Exchange 2000 Server (OWA 2000) if you configure it improperly. However, OWA 2000 adequately addresses the scalability problems through more efficient communication between the Microsoft Internet Information Services (IIS) 5.0 server and Exchange 2000 servers and through the use of front-end and back-end servers. Let's look at the reasons for implementing front-end and back-end servers, how to create and properly configure them, and how to secure your new OWA setup by adding a firewall, protecting and changing passwords, and protecting against possible attacks. In addition, on the Exchange & Outlook Administrator Web site (http://www .exchangeadmin.com), you'll find the Web-exclusive sidebar "Redirecting Users to Secure Pages," InstantDoc ID 23175, which describes how you can help users adjust to secure Web pages in the OWA 2000 system.
Reasons for Using Front-End and Back-End Servers
Exchange 2000's ability to support front-end servers for Internet protocol clients such as HTTP, POP3, IMAP4, and Network News Transfer Protocol (NNTP) is exciting news. (Messaging API—MAPI—clients, such as Outlook 2000 and Outlook 9x, don't use front-end servers.) For large organizations, this support promises to improve the scalability and performance of Exchange 2000 in environments with thousands of Internet-protocol clients. Although organizations with only a few clients and one or two servers don't need a front-end server for scalability, they can implement a front-end server for other reasons, including
- off-loading the overhead of authentication and encryption (Secure Sockets Layer—SSL) from the back-end servers
- providing IMAP4 clients access to all public folders, not just the public folders that have a replica on the user's home server
- having a buffer in the perimeter network or demilitarized zone (DMZ), between the firewall and the Internet
- providing one namespace for all users to connect to their mail, regardless of the name or location of the back-end server
You can configure only Exchange 2000 Enterprise Server as a front-end server. When you use an Internet-protocol client, the front-end server acts as a connection point to back-end servers. All communication travels through the front-end servers to the back-end Exchange 2000 servers, on which the mailboxes and public folders reside; the client communicates only with the front-end server. A DNS entry can point to one front-end server, or you can configure the DNS entry to cycle in a round-robin style through several front-end servers. If you choose to have several front-end servers, you should implement a load-balancing solution such as Microsoft's Windows NT Load Balancing Service (WLBS).
Creating and Configuring a Front-End Server
All Exchange 2000 servers are back-end servers by default. To create a front-end server, install Enterprise Server. Use the Microsoft Management Console (MMC) Exchange System Manager (ESM) console to locate that server in the administrative group's Servers container and display its properties, as Figure 1 shows. Select the This is a front-end server check box, click OK, and reboot.
If you previously installed Enterprise Server and that server contains mailboxes and public folders replicas, you perform the same steps I just described to convert that server to a front-end server. However, you need to move the mailboxes and public folders to another server before the conversion. After you reboot the front-end server, any mailboxes or public folders on that server will no longer be accessible. If you forget to move a mailbox or public folder, you can reverse the process and the mailboxes and public folders will be available again.
To optimize the front-end server, I recommend that you dismount the mailbox store and public folder store on the front-end server. Although you could delete these stores, deleting them prevents you from using the IIS administration tools to make changes. You can disable the other Exchange 2000related services, such as the Microsoft Search Service, the Routing Engine service, the Message Transfer Agent (MTA) service, and the Exchange Event Service. However, if you want the front-end server to provide SMTP mail services, you must leave the Routing Engine service enabled and you must mount the mailbox store so that the SMTP mailbox is available.
Finally, make sure that the front-end server's virtual directories (e.g., HTTP, POP3, IMAP4, NNTP) and virtual servers (e.g., HTTP) are the same as those on the back-end server. If you haven't created any additional HTTP virtual directories or Internet protocol virtual servers, you won't need to make any changes.