fontend_backend exchage mail

8/11/2019 Fontend_backend Exchage Mail

1/100

Front-End and Back-End Server TopologyGuide for Microsoft Exchange Server200 and Exchange 2000 Server

Microsoft Corporation

Published: December 12, 2006

Author: Exchane !er"er Documentation #eam

!"stract

#his uide discusses Exchane !er"er front$end and bac%$end ser"er architecture and

topolo&'

Comments( !end feedbac% to exchdocs)microsoft'com'
mailto:[email protected]?subject=Print%20Feedback:%20Front-End%20and%20Back-End%20Server%20Topology%20Guide%20for%20Microsoft%20Exchange%20Server%202003%20and%20Exchange%202000%20Servermailto:[email protected]?subject=Print%20Feedback:%20Front-End%20and%20Back-End%20Server%20Topology%20Guide%20for%20Microsoft%20Exchange%20Server%202003%20and%20Exchange%202000%20Server


2/100


3/100

#ontents*ront$End and +ac%$End !er"er #opolo& uide for Exchane !er"er 200- and Exchane

2000 !er"er'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .

/ntroduction to *ront$End and +ac%$End #opoloies for Exchane !er"er 200- and Exchane

2000 !er"er'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .

Assumed nolede'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 10

e Exchane !er"er 200- *eatures for the *ront$End and +ac%$End Architecture''''''' ''10

erberos Authentication'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 10

3PC o"er 4##P'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 10

Exchane !er"er 200- Editions''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''11*orms$+ased Authentication''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 11

5utloo% eb Access 7ersion !upport'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''11

*ront$End and +ac%$End #opoloies 5"er"ie''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''12

*ront$End and +ac%$End #opolo& Ad"antaes'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''18

!inle namespace'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''18

5ffloads !!9 Encr&ption and Decr&ption'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 18

!ecurit&''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 18

/mpro"ed Public *older Access and *eatures'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1

/ncreased /MAP Access to Public *olders'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1

Multiple Protocols !upported'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1

4o a *ront$End and +ac%$End #opolo& or%s'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''16

/nteration ith /nternet /nformation !er"ices'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''''''16

3emote Procedure Calls in a Perimeter etor%''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 16

Dependenc& on D!Access'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1;

!&stem Attendant on *ront$End !er"ers'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1;

!upportin P5P and /MAP Clients''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1.

Authentication for P5P and /MAP Clients''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1.

/MAP Access to Public *olders''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1.

3unnin !M#P for P5P and /MAP Clients'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''20

!upportin 4##P Access'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' '21

*indin


4/100

!implif&in the 5utloo% eb Access


5/100

Procedure''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 82

*or More /nformation'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''8-

!ecurin Communication: *ront$End to 5ther !er"ers'''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 8-/P !ecurit& ?/P!ec@'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 8-

/P!ec Protocols'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 88

/P!ec Polic&'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 88

/P!ec ith *irealls and *ilterin 3outers''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''88

!er"ice Pac%s: ou +ein''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''' 1

Procedure''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1

*ront$End !er"er behind a *ireall'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 2

!cenario'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 2

!etup /nstructions'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''' 2

Discussion''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' -

4o to !et


6/100

!etup /nstructions'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''' ;

Discussion'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

/ssues''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

4o to !et


7/100

Disconnectin and Deletin Public and Mailbox !tores''''''''''''''''''''''''''''''''''''''''''''''''''''''''';1

Confiurin etor% 9oad +alancin'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''';2

Confiurin !ecure !oc%ets 9a&er''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;2

4o to Confiure !!9 for P5P-, /MAP8, and !M#P''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';2

Procedure''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;2

4o to Confiure !!9 for 4##P''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';-

Procedure''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;-

*or More /nformation''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';-

Confiurin !M#P on the *ront$End !er"er''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';-

Mail for /nternal Domains'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;8

Mail for External Domains''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;8

Confiurin D!Access for Perimeter etor%s'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';8

Disablin the et9oon Chec%'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';

Disablin the Director& Access Pin'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';

!pecif&in Domain Controllers and lobal Catalo !er"ers''''''''''''''''''''''''''''''''''''''''''''''';

4o to Disable the et9oon Chec% on a *ront$End !er"er''''''''''''''''''''''''''''''''''''''''''''''''';6

+efore >ou +ein''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''' ;6

Procedure''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;6

4o to Disable the Director& Access Pin'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';;

+efore >ou +ein''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''' ;;Procedure''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;;

4ostin Multiple Domains''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';;

Method 5ne: Create Additional 7irtual !er"ers''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';

Method #o: Create Additional 7irtual Directories''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''0

4o to Add a 7irtual Director&


8/100

4o to Confiure Additional 7irtual !er"ers on a +ac%$End !er"er'''''''''''''''''''''''''''''''''''''''8

+efore >ou +ein''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' '''''

Procedure'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Confiurin *irealls''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Confiurin an /nternet *ireall''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''6

Confiurin /!A !er"er''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''6

Confiurin an /ntranet *ireall'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';

Ad"anced *ireall !er"er in the Perimeter etor%''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';

*ront$end !er"er in Perimeter etor%'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

+asic Protocols'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Acti"e Director& Communication''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .

Domain ame !er"ice ?D!@''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .0

/P!ec''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' .0

3emote Procedure Calls ?3PCs@'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .1

!toppin 3PC #raffic'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''.1

3estrictin 3PC #raffic'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .1

*ront$End and +ac%$End #opolo& Chec%list'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' '.2

*ront$End and +ac%$End #opolo& #roubleshootin''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''.;

#roubleshootin #ools''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .;

eneral #roubleshootin !teps'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''.;

9oon *ailures'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .

#roubleshootin 5utloo% eb Access'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''..

Cop&riht'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ..


9/100

Front-End and Back-End Server TopologyGuide for Exchange Server 200 andExchange 2000 Server

Microsoft Exchane !er"er 200- and Microsoft Exchane 2000 !er"er support usin a

ser"er architecture that distributes ser"er tas%s amon front$end and bac%$end ser"ers' /n

this architecture, a front$end ser"er accepts reuests from clients and proxies them to the

appropriate bac%$end ser"er for processin' #his uide discusses ho Exchane !er"er

200- and Exchane 2000 !er"er support the front$end and bac%$end ser"er architecture'

Also co"ered are se"eral front$end and bac%$end scenarios and recommendations for

confiuration'

$ote%

Donload *ront$End and +ac%$End !er"er #opolo& uide for Microsoft Exchane

!er"er 200- and Exchane 2000 !er"erto print or read offline'

&ntroduction to Front-End and Back-EndTopologies for Exchange Server 200

and Exchange 2000 ServerMicrosoft Exchane !er"er200- and Microsoft Exchane2000 !er"er support usin a

ser"er architecture that distributes ser"er tas%s amon front$end and bac%$end ser"ers' /n

this architecture, a front$end ser"er accepts reuests from clients and proxies them to the

appropriate bac%$end ser"er for processin' #his uide discusses ho Exchane !er"er200-

and Exchane2000 !er"er support the front$end and bac%$end ser"er architecture' #his

uide also describes se"eral front$end and bac%$end scenarios and pro"ides

recommendations for confiuration'

$ote%

A front$end ser"er is a speciall& confiured ser"er runnin either Exchane

!er"er200- or Exchane 2000 !er"er softare' A bac%$end ser"er is a ser"er ith a

standard confiuration' #here is no confiuration option to desinate a ser"er as a

bac%$end ser"er' #he term =bac%$end ser"er= refers to all ser"ers in an oraniBation

that are not front$end ser"ers after a front$end ser"er is introduced into the

oraniBation'
http://go.microsoft.com/fwlink/?LinkId=69352http://go.microsoft.com/fwlink/?LinkId=69352http://go.microsoft.com/fwlink/?LinkId=69352http://go.microsoft.com/fwlink/?LinkId=69352http://go.microsoft.com/fwlink/?LinkId=69352


10/100

&'portant%

#he information in this uide pertains to Exchane !er"er 200- or later, and

Exchane 2000 !er"er ith !er"ice Pac% - ?!P-@ or later' #herefore, if &ou arerunnin earlier builds, uprade to either Exchane !er"er 200- or

Exchane 2000 !er"er ith !er"ice Pac% - ?!P-@ to ta%e full ad"antae of the

features described in this uide'

!ssu'ed (no)ledge>ou should ha"e an understandin of Microsoft 5ffice 5utloo% eb Access, 5utloo%

Mobile Access, Exchane Acti"e!&nc, 3PC o"er 4##P, 4&pertext #ransfer Protocol

?4##P@, !imple Mail #ransfer Protocol ?!M#P@, Post 5ffice Protocol "ersion- ?P5P-@, and

/nternet Messae Access Protocol ?/MAP@ "ersion8re"1 in a standard Exchane

deplo&ment, in addition to basic Exchane 2000 !er"er and Microsoft indos/nternet

/nformation !er"ices ?//!@ concepts'

$e) Exchange Server 200 Features for theFront-End and Back-End !rchitecture

Exchane !er"er 200- builds on the front$end and bac%$end ser"er architecture and adds

ne features and capabilities such as 3PC o"er 4##P communication that enables users

ith 5utloo%200- clients to access their Exchane information from the /nternet'

Additionall&, the standard "ersion of Exchane !er"er200- enables &ou to confiure a

ser"er as a front$end ser"er'

(er"eros !uthenticatione for Exchane !er"er200- is the abilit& for the Exchane front$end ser"er to use

erberos authentication for 4##P sessions beteen the front$end and its respecti"e bac%$

end ser"ers' hile the authentication is no usin erberos, the session is still bein sent

usin clear text' #herefore, if the netor% is public or the data is sensiti"e, it is recommended

that &ou use /nternet Protocol securit& ?/P!ec@ to secure all communication beteen the

Exchane front$end and bac%$end ser"ers'

*+# over ,TT+ith Exchane !er"er200- &ou can no use the indos 3PC o"er 4##P feature to

enable users ho are runnin 5utloo%200- to be able to access their corporate information

from the /nternet' /nformation about ho to plan, deplo&, and manae this ne feature for

Exchane is in Exchane !er"er 200- 3PC o"er 4##P Deplo&ment !cenarios'

0
http://go.microsoft.com/fwlink/?LinkId=47577http://go.microsoft.com/fwlink/?LinkId=47577


11/100

Exchange Server 200 EditionsExchane !er"er200- is a"ailable in to editions, Exchane !er"er200- !tandard Edition

and Exchane !er"er200- Enterprise Edition' >ou can confiure either for use as a front$

end ser"er in a front$end and bac%$end ser"er architecture'

$ote%

Exchane 2000 !er"er can be used onl& as a bac%$end ser"er in a front$end and

bac%$end confiuration' 4oe"er, Exchane 2000 Enterprise !er"er can be used as

a front$end ser"er or a bac%$end ser"er in a front$end and bac%$end confiuration'

*or more information about the differences beteen Exchane 2000 !er"er and

Exchane 2000 Enterprise !er"er, see Microsoft nolede +ase article 2.6618,

=Differences beteen Exchane 2000 !tandard and Enterprise "ersions'=

For's-Based !uthenticationExchane !er"er200- includes a ne authentication feature for &our 5utloo% eb Access

clients' *or information about ho to enable this feature, seeAuthentication Mechanisms for

4##P'

.utlook /e" !ccess ersion Support#o pro"ide the ne Exchane !er"er200- "ersion of 5utloo% eb Access for users,

Exchane !er"er200- must be installed on both the front$end ser"er and the bac%$end

ser"er to hich &our users connect' hen users connect to an Exchane 200- front$end and

bac%$end ser"er, the& are able to ta%e ad"antae of the folloin features:

*orms$based authentication

3epl&in to and forardin posts in a public folder throuh 5utloo% eb Access

/nterated authentication beteen the front$end and bac%$end ser"ers

Different combinations of Exchane !er"er200-, Exchane2000 !er"er, and Microsoft

Exchane !er"er' determine the "ersion of 5utloo% eb Access that &our users can use'

#he folloin table lists the "ersion of 5utloo% eb Access that users ha"e access to, based

on the "ersions of Exchane that are installed on the front$end and bac%$end ser"ers'

.utlook /e" !ccess versions availa"le to users

*ront$end ser"er +ac%$end ser"er 5utloo% eb Access "ersion

Exchane ' Exchane ' Exchane '

Exchane ' Exchane 2000 Exchane '

Exchane ' Exchane 200- ot supported
http://go.microsoft.com/fwlink/?LinkId=3052&kbid=296614http://go.microsoft.com/fwlink/?LinkId=3052&kbid=296614


12/100

Exchane 2000 Exchane ' ot supported

Exchane 2000 Exchane 2000 Exchane 2000

Exchane 2000 Exchane 200- ot supported

Exchane 200- Exchane ' ot supported

Exchane 200- Exchane 2000 Exchane 2000

Exchane 200- Exchane 200- Exchane 200-

#he Exchane !er"er200- "ersion and the Exchane2000 !er"er "ersion of 5utloo% eb

Access are substantiall& different from the Exchane !er"er' "ersion of 5utloo% eb

Access' #he Exchane !er"er' "ersion of 5utloo% eb Access uses Acti"e !er"er Paes

?A!P@ to communicate ith an Exchane computer that uses Collaboration Data 5bects

?CD5@1'2 and MAP/' #he number of clients that can access the mailbox store at the same

time is limited b& the MAP/$based connection to the Exchane computer'

#he Exchane !er"er200- "ersion and the Exchane2000 !er"er "ersion of 5utloo% eb

Access do not use MAP/ to access the mailbox store, and the& do not use A!P paes for

client connections' Clients continue to connect to the eb Access Component throuh

4&pertext #ransfer Protocol ?4##P@' 4oe"er, the /nternet /nformation !er"ices ?//!@ ser"er

that hosts the 5utloo% eb Access component uses the Microsoft Exchane !tore ser"ice to

pro"ide access to the userFs messain functions' //! recei"es 5utloo% eb Access client

reuests as a prox& for messae traffic beteen a eb client and an Exchane200- ser"er

or an Exchane2000 ser"er' /f the ser"er contains the Exchane200- database, 5utloo%

eb Access uses a hih$speed channel to access the mailbox store' /f the ser"er is a front$end ser"er, 5utloo% eb Access sends the reuest to a bac%$end ser"er usin 4##P'

Front-End and Back-End Topologies.vervie)

#he fiures in this topic describe the common implementations of the front$end and bac%$end

ser"er architecture' #he folloin fiure illustrates a simple Exchane front$end and bac%$end

topolo&'

2


13/100

!n Exchange front-end and "ack-end server architecture )ithout an advanced fire)all

#he folloin fiure illustrates the recommended scenario that uses an ad"anced fireall,

such as Microsoft /nternet !ecurit& and Acceleration ?/!A@ !er"er ith !er"ice Pac%1 ?!P1@

and *eature Pac%1, beteen the /nternet and the Exchane front$end ser"er'

The reco''ended Exchange front-end and "ack-end server architecture


14/100

Front-End and Back-End Topology

!dvantages#he front$end and bac%$end ser"er topolo& should be used for multiple$ser"er oraniBations

that pro"ide e$mail access to their emplo&ees o"er the /nternet' Additionall&, oraniBations

that use Microsoft 5ffice 5utloo% eb Access, P5P, /MAP, and 3PC o"er 4##P on their

internal netor% can also benefit from a front$end and bac%$end ser"er topolo&'

Single na'espace#he primar& ad"antae of the front$end and bac%$end ser"er architecture is the abilit& to

expose a sinle, consistent namespace' >ou can define a sinle namespace for users to

access their mailboxes ?for example, https:GGmail for 5utloo% eb Access@' ithout a front$

end ser"er, each user must %no the name of the ser"er that stores their mailbox' #his

complicates administration and compromises flexibilit&, because e"er& time &our oraniBation

ros or chanes and &ou mo"e some or all mailboxes to another ser"er, &ou must inform

the users'

ith a sinle namespace, users can use the same


15/100

for the oraniBation' /n addition, the front$end ser"ers authenticate reuests before prox&in

them, protectin the bac%$end ser"ers from denial$of$ser"ice attac%s'

&'proved +u"lic Folder !ccess and FeaturesA front$end Exchane ser"er increases the robustness of accessin public folders, as it

%nos the state of bac%$end ser"ers and can use multiple referrals to access public folder

data' #his includes s&stem data such as calendar freeGbus& information' /n addition, in

Exchane !er"er 200-, a front$end Exchane ser"er enables &our users usin 5utloo% eb

Access to repl& or forard to posts in public folders' ithout a front$end ser"er, public folder

posts can be onl& read'

&ncreased &M!+ !ccess to +u"lic Folders#he /MAP protocol specification allos a ser"er to refer a client to another ser"er' Exchane

supports this referral functionalit& in cases here a public folder store on a particular ser"er

does not contain the content reuested and the client needs to be referred to another ser"er'

4oe"er, this reuires a client that supports /MAP referrals, and most clients do not support

referrals' ?#he


16/100

,o) a Front-End and Back-End Topology

/orksAlthouh the eneral functionalit& of the front$end ser"er is to prox& reuests to the correct

bac%$end ser"ers on behalf of the client computers, the exact functionalit& of the front$end

ser"er depends on the protocol and the action bein performed'

#his section discusses the indos and Microsoft Exchane !er"er components that are

essential to understandin ho front$end and bac%$end topolo& or%s' Ma%e sure that &ou

understand ho these components function in a front$end and bac%$end topolo& and assess

hether the modifications ill affect &our oraniBation'

#his section also explains ho front$end and bac%$end ser"ers support the "arious client

protocols'

&ntegration )ith &nternet &nfor'ationServices

Exchane stores confiuration information in Acti"e Director& director& ser"ice, hereas

/nternet /nformation !er"ices ?//!@ stores confiuration information in the metabase' #he

metabase is a local confiuration database shared b& the protocols that //! supports' #he

Exchane !&stem Attendant ser"ice reularl& replicates rele"ant confiuration chanes made

in Acti"e Director& throuh Exchane !&stem Manaer to the metabase' >ou can tell henthe confiuration replication has occurred b& loo%in for entries in E"ent 7ieer from the

metabase update ser"ice ?M!ExchaneM


17/100

3emote Procedure Calls are used b& /nternet /nformation !er"ices ?//!@ to authenticate

clients on the front$end ser"er'

ependency on S!ccess

D!Access is a shared Exchane !er"er component that accesses and stores director&

information in a cache' D!Access d&namicall& detects the director& ser"ers that other

Exchane components should contact, based on criteria such as Acti"e Director& site

confiuration and Acti"e Director& ser"er a"ailabilit&' Exchane front$end ser"ers use

D!Access to determine hich ser"er contains a particular userFs mailbox, the !imple Mail

#ransfer Protocol ?!M#P@ addresses that exist for a user obect, the ser"ers that contain

public folder stores, and so on'

D!Access uses 9ihteiht Director& Access Protocol ?9DAP@ for most operations' 4oe"er,

D!Access still uses 3PCs to call the et9oon ser"ice for each domain controller and lobal

catalo ser"er that it disco"ers'

/f &ou put a front$end ser"er in a perimeter netor% here &ou ant to restrict 3PC traffic

beteen the perimeter netor% and the corporate netor% to specific ser"ices onl&, the

et9oon 3PC from D!Access to domain controller and lobal catalo ser"ers ma& fail' /f

this occurs, D!Access determines that 3PC connecti"it& is ust bloc%ed, and that the ser"ers

are still a"ailable' 4oe"er, D!Access continues to send the et9oon 3PC, hich ma&

affect performance'

#o stop D!Access from doin the et9oon 3PC chec%, &ou can create a reistr& %e&' *or

more information about optimiBin D!Access in a perimeter netor%, see Confiurin

D!Access for Perimeter etor%s'

Syste' !ttendant on Front-End Servers

+& default, Exchane !&stem Attendant no loner reuires 3PCs hen it runs on a front$end

ser"er' #he components of !&stem Attendant that use 3PCs are no loner loaded on front$

end ser"ersH therefore, these components are disabled hen &ou desinate a ser"er as a

front$end ser"er' #he folloin list briefl& describes these components:

S+roxy

#he D!Prox& ser"ice refers MAP/ clients ?such as Microsoft 5ffice 5utloo%2002@ to

lobal catalo ser"ers for lobal address list loo%ups' D!Prox& also allos MAP/ clients

ith older "ersions of 5utloo% to access Acti"e Director&' D!Prox& no loner runs on

front$end ser"ersH therefore, the front$end ser"er can no loner determine hich bac%$

end ser"er contains a MAP/ clientFs mailbox' As a result, &ou cannot point a MAP/ client

6


18/100

to the front$end ser"er to determine the userFs bac%$end ser"er and then route the

reuest to the appropriate ser"er'

$ote%

#o enable D!Prox& on the front$end ser"er for routin MAP/ client reuests,

install Exchane 2000 !er"er !er"ice Pac% - ?!P-@ and create the reistr& %e&

described in Microsoft nolede +ase article -1.1;, =IADM: >ou Cannot

Perform a Chec% ames Juer& Aainst a *ront$End Exchane Computer'= ote

that to recei"e these referrals, the client must ha"e 3PC access to the front$end

ser"er' Additionall&, the front$end ser"er must ha"e 3PC access to domain

controllers'

*ecipient 7pdate Service

#he 3ecipient


19/100

Supporting +.+ and &M!+ #lients

hen &ou use a front$end ser"er, the names of the ser"ers that host the mailboxes arehidden from the users' Client computers connect to one host name shared b& the front$end

ser"ers' As a result, mo"in users beteen ser"ers is transparent to the users and reuires

no reconfiuration of client computers'

#o lo on, a P5P or /MAP client sends the front$end ser"er a loon reuest that contains the

name of the mailbox to be accessed' #he front$end ser"er authenticates the user and uses

Acti"e Director& to determine hich bac%$end ser"er contains the userFs mailbox' #he front$

end ser"er then proxies the loon reuest to the appropriate bac%$end ser"er' #he bac%$end

ser"er then sends the results of the loon operation bac% to the front$end ser"er, hich

returns the results of the operation bac% to the client' !ubseuent P5P or /MAP commands

are similarl& handled'

$ote%

!M#P must be a"ailable to allo P5P and /MAP clients to submit e$mail' >ou can

install !M#P on the front$end ser"er or set up a separate !M#P ser"er' E$mail

submission throuh !M#P on the front$end ser"er or%s the same as it does on an&

other ser"er runnin Exchane' *or more information about ho to confiure !M#P

on a front$end ser"er, see Confiurin Exchane *ront$End !er"ers'

!uthentication for +.+ and &M!+ #lients

P5P and /MAP e$mail clients send user and passord information in clear text' /f the front$end ser"er is accessible from the /nternet, &ou should confiure !!9 so that user

authentication information and data is not passed o"er the /nternet in clear text'

&M!+ !ccess to +u"lic Foldershen a non referral$enabled /MAP client connects to a bac%$end ser"er, it can access onl&

public folders that ha"e a replica on the userFs home ser"er' #o access public folders that

ha"e replicas on other ser"ers, an /MAP client must be referral$enabled' A referral$enabled

client issues special commands to an /MAP ser"er to create a list of the public folders

a"ailable to the client' hen the client computer reuests a public folder that does not ha"e a

local replica, the ser"er responds to the client reuest ith a referral


20/100

a"ailable to a non referral$enabled client' hen the front$end ser"er recei"es a referral

response from the bac%$end ser"er, it does not pass this response bac% to the client' /nstead

it follos the referral for the client and ma%es a connection to the appropriate bac%$end ser"er

that has the data' #he bac%$end ser"er then responds ith the reuested item, hich the

front$end ser"er rela&s bac% to the client'

*unning SMT+ for +.+ and &M!+ #lients

P5P and /MAP protocols are used onl& for recei"in mailH &ou must confiure !M#P on the

front$end ser"er so that P5P and /MAP clients can submit mail' >ou do not ha"e to run !M#P

on the Exchane front$end ser"er' /nstead, &ou can use another ser"er as a dedicated !M#P

atea&'

&'portant%

#o run !M#P on the front$end ser"er and enable it to accept inbound mail ?mail for

&our domains@, &ou must mount a mailbox store on the front$end ser"er' #his mailbox

store must not contain an& mailboxes' >ou must mount a mailbox store on the front$

end ser"er because an& non$deli"er& reports ?D3s@ must be routed throuh the

mailbox store for formattin'

#o confiure !M#P so that P5P and /MAP clients can submit mail to external domains, &ou

must allo rela&in'

+& default, Exchane allos rela&in onl& from authenticated clients' /t is recommended that

&ou %eep this default' Clients such as Microsoft 5utloo% Express 6'0 and Microsoft 5ffice5utloo% 200-, and pre"ious "ersions of 5utloo% Express and 5utloo% support !M#P

authentication in addition to #ransport 9a&er !ecurit& ?#9!@ encr&ption'

>ou should not allo rela&in in either of the folloin a&s:

>ou should not allo anon&mous rela&in to all /P addressesH if &our front$end ser"er is

connected to the /nternet, doin this allos an&one on the /nternet to use &our ser"er to

send mail'

>ou should not allo rela&in from specific client /P addresses' E"en if &ou are familiar

ith the subnet from hich clients send mail, the /nternet en"ironment ma%es it difficult to

determine such a specific set of /P addresses'

$ote%

/f &ou ant the front$end ser"er to act as the bridehead ser"er beteen &our

compan& and the /nternet, it is recommended that the ser"er on the /nternet that

accepts mail for &our domains has the abilit& to scan incomin messaes for "iruses'

20


21/100

$ote%

*or more information, see the Exchane technical uide, Exchane !er"er 200-

#ransport and 3outin uide'

Supporting ,TT+ !ccess

hether enerated b& a broser or a specialiBed client, 4##P reuests from the client

computer are sent to the front$end ser"er' #he front$end ser"er uses Acti"e Director& to

determine hich bac%$end ser"er to prox& the reuest to'

After determinin the appropriate bac%$end ser"er, the front$end ser"er forards the reuest

to the bac%$end ser"er' Apart from specific header information that indicates the reuest as

passed throuh a front$end ser"er, the reuest is almost the same as the oriinal reuestsent from the client' /n particular, the 4##P host header, hich matches the name of the

front$end ser"er to hich the reuest as sent ?meanin the hostname or full& ualified

domain name that the user entered in the broser@, remains unchaned' #he front$end ser"er

contacts the bac%$end ser"er usin the hostname of the bac%$end ser"er ?for example,

bac%end1@, but in the 4##P headers of the reuest, the front$end ser"er sends the host

header used b& the client, for example, 'adatum'com' #he host header settin ensures

that the appropriate bac%$end Exchane "irtual ser"er handles the reuest' *or more

information about confiurin "irtual ser"ers on a bac%$end ser"er, see Confiurin a +ac%$

End !er"er'

*or 4##P reuests, the front$end ser"er ala&s contacts the bac%$end ser"er o"er #CP port

0 ?the default 4##P port@, reardless of hether the client contacted the front$end ser"er

throuh port 0 or 88- ?the !!9 port@' #his means that:

4##P "irtual ser"ers on the Exchane front$end ser"er can listen onl& on port 0 ?4##P@

or 88- ?4##P!@'

$ote%

o other ports other than port 0 and port 88- can be used for 4##P "irtual

ser"ers on the Exchane front$end ser"ers'

!!9 encr&ption is ne"er used beteen the front$end and bac%$end ser"ers, althouh the

client should use it to communicate ith the front$end ser"er'

4##P "irtual ser"ers that differentiate themsel"es from other ser"ers onl& b& port number

are not supported in a front$end and bac%$end topolo&' *or example, if a bac%$end

ser"er has an 4##P "irtual ser"er listenin on port 00, a client can access that bac%$

end ser"er onl& if the client is pointed directl& to the bac%$end ser"er ?for example,

http:GGbac%end1:00Gdata@' A client connectin to the front$end ser"er cannot access this

data'

2
http://go.microsoft.com/fwlink/?LinkId=47579http://go.microsoft.com/fwlink/?LinkId=47579http://go.microsoft.com/fwlink/?LinkId=47579http://go.microsoft.com/fwlink/?LinkId=47579


22/100

#he bac%$end ser"er processes the 4##P reuest from the front$end normall&, and the

response is sent unchaned throuh the front$end ser"er bac% to the client' #his hole

process is not "isible to the client, hich ust interacts ith the front$end ser"er' #he client is

unaare of ho the reuest as handled internall&'

Finding 7ser Mail"oxes#o pro"ide access to mailbox folders throuh 4##P, &ou must ha"e a "irtual director& on both

the Exchane front$end and bac%$end ser"ers that points to the mailboxes'

$ote%


23/100

the user name and sent to the correct bac%$end ser"er' #his is %non as implicit loon'

/mplicit loon is useful onl& for loin on to 5utloo% eb AccessH specialiBed 4##P clients

enerall& do not use implicit loon'

Exchange 2000 Server S+ and Exchange Server 200

/mplicit loon ma%es use of the !M#P domain specified on the 4##P "irtual director& to

identif& the user' #herefore, users connectin to that "irtual ser"er must ha"e an e$mail

address in their list of !M#P prox& addresses on their obect in Acti"e Director& ith the same

domain'

Exchange Server 200 S+

/mplicit loon no loner relies exclusi"el& on the !M#P domain specified' All the user

information can be leaned from their loon'


24/100

Si'plifying the .utlook /e" !ccess 7*1#hange +ass)ord> Feature/f &ou are usin 5utloo% eb Access, &ou can enable the Chane Passord feature in //! to:

Alert users hen their passords expire'

Enable users to use the .ptionsbutton in 5utloo% eb Access to chane their

passords'

eep in mind that if &ou ant to use the Chane Passord feature, &ou must also use !!9beteen clients and the front$end ser"er to secure the passord durin transmission'

Additionall&, &ou must create a "irtual director& named //!AdmPd on the front$end ser"er

and bac%$end ser"ers to handle the Chane Passord reuests'

$ote%

#he onl& time &ou must reuire !!9 on a bac%$end ser"er is hen &ou ant users to

be able to connect to the bac%$end ser"er directl&' 3emember, hoe"er, that front$

end ser"ers cannot use !!9 hen connectin to bac%$end ser"ers' #herefore, if &ou

reuire !!9 on the bac%$end ser"er, ensure that &ou do not reuire !!9 on the

folloin directories so that front$end ser"ers can still connect to them: Exchane,

Public, Excheb, Exadmin, and an& mailbox or public folder "irtual roots'

*or more information about ho to confiure the Chane Passord feature, see Microsoft

nolede +ase article -2;1-8, =ICCC: 45 #5:


25/100

4##P' /dentical "irtual directories must exist on each front$end ser"er and on all bac%$end

ser"ers that host the public folder tree'

A reuest made to a


26/100

+u"lic folder referral through a front-end server

1' An 4##P client authenticates aainst the front$end ser"er and reuests

GpublicGPublic*older2'

2' #he front$end ser"er authenticates the user aainst Acti"e Director& and reuests the

location of the userFs default public folder store'

-' Acti"e Director& indicates to the front$end ser"er that the userFs default public folder store

is on !er"er1'

8' #he front$end ser"er sends the client reuest to !er"er1'

' !er"er1 tells the front$end ser"er that it does not ha"e the contents of

GpublicGPublic*older2, but !er"er2 and !er"er- do'

6' #he front$end ser"er performs a hashin alorithm aainst the list of ser"ers ith the

content ?in this case, !er"er2 and !er"er-@' #he results of the hash in this case turn out

to be !er"er2, so the front$end ser"er forards the reuest to !er"er2'

$ote%

A hashin alorithm applies a i"en number ?in this case, the userFs securit&

to%en@ and uses it to enerate a position in a list so that the distribution of all

possible inputs is e"en o"er the list'

;' !er"er2 returns the contents of GpublicGPublic*older2 to the front$end ser"er, hich then

sends the contents to the 4##P client'

25


27/100

The efault 8M!+&9 +u"lic Folder Tree

hen a client accesses the default public folder tree in 5utloo% eb Access, an attempt is

made to maintain parit& ith MAP/ clients such as 5utloo%' Each mailbox store is associatedith a particular public folder store somehere in the oraniBation ?sometimes on the same

ser"er as the mailbox store, sometimes on a dedicated public folder ser"er@' #he public folder

store associated ith the userFs mailbox store is the public folder store that displa&s the public

folder hierarch& ?tree@ in 5utloo%'

hen a user reuests a public folder in the default public folder tree throuh 4##P, the front$

end ser"er authenticates the user and loo%s up the user in Acti"e Director& to see hich

public store is associated ith that userFs mailbox store' #he front$end ser"er then forards

the reuest to the userFs public folder ser"er'

ote that if the front$end ser"er is not confiured to authenticate users, reuests for public

folders are not load balanced'

General-+urpose +u"lic Folder Trees

Default public folder tree ser"ers ha"e an association ith mailbox stores because of their

MAP/ heritaeH eneral$purpose public folder trees do not ha"e such an association' As a

result, reuests for folders in eneral$purpose public folder trees are handled slihtl&

differentl& than reuests for folders in the default public folder tree'

hen a client ma%es a reuest to access a eneral$purpose public folder tree, the front$end

ser"er first contacts Acti"e Director& to find a list of all ser"ers runnin

Exchane 2000!er"er or Exchane !er"er 200- in the oraniBation that ha"e a replica of

the particular eneral$purpose public folder tree that the client is attemptin to access'

$ote%

eneral$purpose public folder trees are not a"ailable in Exchane!er"er ''

#he front$end ser"er then uses the userFs authentication to%en in a hashin alorithm aainst

the list of ser"ers to ensure that:


28/100

/hen #ontent &s $ot !vaila"le on the Back-End Server

#he front$end and bac%$end topolo& has special handlin for times hen the bac%$end

ser"er recei"es a reuest for a public folder for hich it does not ha"e a replica' #his handlinoccurs for folders in the default public folder store in addition to folders in eneral$purpose

public folder trees'

hen a bac%$end ser"er recei"es such a reuest, it returns a list of the ser"ers that ha"e the

contents of the reuested folder' #he front$end ser"er does not pass this information bac% to

the client, but runs the same hashin alorithm aainst the ne list of ser"ers aain, to

ensure load balancin and consistent "ies' As a result, in oraniBations that use partial

replicas of public folder trees, the front$end ser"er ma& ha"e to perform to 4##P reuests to

satisf& the clientFs sinle reuest' 4oe"er, in processin the clientFs reuest, the front$end

ser"er caches information about hich ser"ers ha"e the content, alloin the front$end

ser"er to a"oid extra reuests hen data in the same folder is accessed in the future'

#he caches maintained b& the front$end ser"er substantiall& reduce the number of ueries

sent to Acti"e Director& and bac%$end ser"ers for both public and pri"ate folder accesses'

Cache information expires after ten minutes and is also reset hen chanes in ser"er

confiuration are detected'

$ote%

Exchane' ser"ers cannot be selected because the& do not support the reuired

4##P ebDA7 extensions'

Back-End Server o)nti'e

/f a bac%$end ser"er is don for maintenance or is otherise inaccessible o"er 4##P, the

front$end ser"er cannot connect to it' #he front$end ser"er mar%s that ser"er =una"ailable= for

a period of 10 minutes and sends the reuest to a different ser"er if there are other ser"ers

a"ailableH the reuest fails if no other ser"ers are a"ailable' hile the bac%$end ser"er is

una"ailable, the front$end ser"er automaticall& directs reuests to other ser"ers' #herefore,

after a bac%$end ser"er returns to production, it miht be inaccessible throuh the front$end

ser"er for as lon as 10 minutes, because the front$end ser"er miht still ha"e that bac%$end

ser"er mar%ed as una"ailable'

#his process sinificantl& increases reliabilit& for public folder access' #he front$end ser"er

ill attempt to contact multiple bac%$end ser"ers for the data, hereas a client connectin

directl& to a bac%$end ser"er ill not'

!dding or *e'oving Back-End Servers

#he oal of the hashin alorithm is load balancinH hoe"er, a condition of the alorithm is

that the distribution of users across ser"ers depends on the number of ser"ers' #herefore, if

the list of ser"ers hostin the content for a public folder chanes because of the addition or

2


29/100

remo"al of a ser"er, the result of the hashin alorithm ma& direct the user to a ne ser"er

for future reuests' #&picall&, hen the ser"er processin a userFs reuest chanes the user

cannot tell that an&thin ph&sical chaned, ith the exception of the folloin:


30/100

Before ?ou Begin+efore &ou perform the procedures in this topic, it is important that &ou first read =4o a

*ront$End and +ac%$End #opolo& or%s= in the Exchane !er"er 200- and Exchane 2000

!er"er *ront$End and +ac%$End !er"er #opolo& uide'

#o successfull& complete the procedures in this topic, confirm the folloin:

#he front$end ser"er has authentication enabled'

+rocedure

To si'plify the .utlook /e" !ccess 7*1

1'


31/100

$ote%

Anon&mous authentication on the front$end ser"er is reuired hen it is located in a

perimeter netor% and cannot use 3emote Procedure Calls' #his is not arecommended scenario, as user access cannot be bloc%ed b& the front$end ser"er'

*or more information about pass$throuh authentication, see =Pass$#hrouh

Authentication= later in this topic'

&'portant%

/t is stronl& recommended that &ou use dual authentication, in hich &ou confiure

both front$end and bac%$end ser"ers to authenticate users' *or more information, see

=Dual Authentication= later in this topic'

ual !uthentication+& default, dual authentication is used ith front$end and bac%$end ser"ers' /n dual

authentication, both front$end and bac%$end ser"ers are confiured to authenticate users' >ou

should confiure front$end ser"ers to perform authentication hene"er possible' /f &ou cannot

enable authentication on the front$end ser"er, implicit loon does not or%, and &ou cannot

load$balance public folder reuests' >ou can use explicit loon to ain access, reardless of

ho authentication is confiured'

$ote%

Exchane relies on //! to authenticate 4##P reuests' //! uses 3PCs to director&

ser"ers to do authentication' /f 3PCs are not alloed beteen the front$end ser"er

and the director& ser"er, &ou must use pass$throuh authentication' *or moreinformation about ho to enable pass$throuh authentication and the ris%s of doin

so, see =Pass$#hrouh Authentication= later in this topic'

+ass-Through !uthentication/n pass$throuh authentication, the front$end ser"er is confiured ith anon&mous

authentication, so it does not as% the user for an authoriBation header' #he front$end ser"er

forards the userFs reuest to the bac%$end ser"er, hich as%s the user for authentication'

#he bac%$end ser"erFs reuest for authentication and the userFs response are routed

unchaned throuh the front$end ser"er'

$ote%

hen &ou use pass$throuh authentication, anon&mous 4##P reuests o directl& to

the bac%$end ser"er here the& are authenticated' >ou should use pass$throuh

authentication onl& if absolutel& necessar&' #he recommended strate& is to place an

ad"ance fireall in the perimeter netor% and the front$end ser"er behind the internal

fireall Q so it has full 3PC access to the internal netor%' /f &ou do ant to place the


32/100

front$end ser"er in the perimeter netor%, it ma& be more secure to allo 3PCs than

to allo anon&mous reuests to reach bac%$end ser"ers, because pass$throuh

authentication allos reuests from an& source, "alid or in"alid, to be passed to &our

bac%$end ser"ers' *or more information, see !cenarios for Deplo&in a *ront$End

and +ac%$End #opolo&'

hen pass$throuh authentication is used, the front$end ser"er cannot load$balance public

folder reuests, because it does not ha"e the authentication to%en on hich to perform a

hashin alorithm' Additionall&, implicit loon ill not or%'


33/100

prompts them for authentication and the& must re$enter their credentials, e"en if the& alread&

used indos to lo on'


34/100

$ote%

+oth Exchane200- and Exchane 2000 bac%$end ser"ers ill support interated

authentication from an Exchane

200- front$end ser"er'

Basic !uthentication#he front$end proxies the basic authentication credentials to the bac%$end ser"ers' #o secure

this information, it is hihl& recommended that /P!ec be used beteen the front$end and

bac%$end ser"ers'

$ote%

+asic authentication beteen the front$end and bac%$end ser"ers is supported b&

both Exchane 2000 and Exchane 200- front$end ser"ers'

7ser 1ogon &nfor'ationhen authenticatin aainst a front$end ser"er, b& default, the user must enter his or her

user name in the folloin format: domain\username' >ou can confiure the front$end ser"er

to assume a default domain so that users do not need to remember their domain'

An additional option for authentication is to confiure a user principal name ?


35/100

Features 1ost "y +lacing an Exchange Front-End Server in the +eri'eter $et)ork )ithout*+# !ccess

&'portant%

#his section applies if &ou place an Exchane front$end ser"er in the perimeter

netor% and do not allo 3PC traffic across the internal fireall'

Corporations that ha"e perimeter netor%s often restrict the t&pe of traffic that passes from

the perimeter netor% into the corporate intranet'

ithout 3PC access to Acti"e Director& ser"ers, the front$end ser"er cannot authenticate

clients' #herefore, features that reuire authentication on the front$end ser"er ?such as

implicit loon and public folder tree load balancin@ ill not or%' Public folder access ispossible, but the front$end ser"er cannot load$balance the reuests because the front$end

ser"er cannot determine the identit& of the user' ithout the userFs authentication to%en, the

front$end ser"er cannot perform the load balancin hashin alorithm' As a result, all

anon&mous reuests for a public folder are routed to the same bac%$end ser"er'

$ote%

/t is recommended that &ou use an ad"anced fireall ser"er ?such as /!A !er"er@

rather than the front$end ser"er in the perimeter netor%' *or more information, see

Ad"anced *ireall in a Perimeter etor%'

$ote%

/MAP and P5P clients reuire !M#P for sendin e$mail messaes' /f &ou do not

allo 3PC traffic across the internal fireall, &ou cannot run !M#P on the front$end

ser"er to support /MAP and P5P clients because hen 3PC traffic is bloc%ed,

M!Exchane/! does not run on the front$end ser"er' 4oe"er, &ou can set up a

separate ser"er to perform !M#P functions for /MAP and P5P clients'

/f 3PC ports are not alloed beteen the perimeter netor% and the corporate intranet, &ou

must use pass$throuh authentication' ith pass$throuh authentication, the front$end ser"er

passes reuests to the bac%$end anon&mousl&, and then the bac%$end ser"er performs the

authentication'

4


36/100

#onsiderations /hen eploying a Front-

End and Back-End Topologyhen deplo&in a front$end and bac%$end topolo&, &ou must account for se"eral factors

includin, expected load, hardare needs, administrati"e o"erhead, load balancin, and

securit&' #he folloin sections co"er these factors in more detail'

o $ot #luster Front End ServersClusterin the Exchane front$end ser"ers does not offer an& performance benefit' *ront$end

ser"ers are stateless so performance is much better ha"in to separate ser"ers sharin

connections ?or etor% 9oad +alanced@ rather than clusterin them'

*eco''ended Server #onfigurations and*atios

!er"er confiuration depends on man& factors, includin the number of users for each bac%$

end ser"er, the protocols used, and the expected load on the s&stem' #he confiuration of

particular models of ser"ers should be done in consultation ith a hardare "endor or

consultant'

enerall&, one front$end ser"er is reasonable for e"er& four bac%$end ser"ers' 4oe"er, this

number is pro"ided onl& as a suested ratio and startin point, not as a rule' *ront$endser"ers do not need lare or particularl& fast dis% storae, but should ha"e fast CP


37/100

/P address' Each member of the 9+ cluster performs a hashin alorithm to map incomin

clients to one of the members of the 9+ cluster based on the client /P address, port, and

other information' hen a pac%et arri"es, all ser"ers or hosts perform the same hashin

alorithm, and the output is one of the hosts' #hat host then responds to the pac%et' #he

mappin does not chane unless the number of hosts in the 9+ cluster chanes' #he

confiuration of e"er& ser"er in the 9+ cluster must be same, otherise clients ma&

experience different beha"ior dependin on hich ser"er the& are routed to'

$ote%

9+ has no health monitorinH if the orld ide eb Publishin !er"ice on a front$

end ser"er is not runnin, for example, 9+ continues to send reuests to that

ser"er' >ou can run Microsoft Application Center 2000 on a front$end ser"er to set up

9+ and monitor the health of load$balanced ser"ers' ?4oe"er, &ou cannot manae

Exchane resources or replicate Exchane confiuration information throuh

Application Center'@ *or more information about Application Center, see the Microsoft

Application Centereb site'

Althouh it is not reuired, &ou should ensure that each user is ala&s sent to the same front$

end ser"er for the duration of a session' #his uses the !ecure !oc%ets 9a&er ?!!9@

handsha%e cachin and connection state information alread& maintained on the front$end

ser"er' Additionall&, this is reuired for forms$based authentication, as onl& the front$end

ser"er that issues the coo%ie can decr&pt it' /n 9+, this is referred to as =client affinit&'= Man&

hardare solutions also ha"e this abilit&

$ote%

Ad"anced fireall ser"ers ma& affect &our abilit& to 9+$cluster &our front$endser"ers, particularl& if the& mas% the incomin client /P address' *or more

information, see the product documentation or contact &our manufacturer for more

details'

*educing irtual Server #reation/n some circumstances, it could be important to reduce the number of "irtual ser"ers created

on the bac%$end ser"ers' >ou should not reduce the number of "irtual ser"ers unless &ou full&

understand ho 4##P "irtual ser"ers or%' >ou can reduce "irtual ser"er creation b& either of

to methods'

Anal&Be the users and data on each bac%$end ser"er to determine if users ill e"er be

directed to that particular ser"er' /f a bac%$end ser"er contains mailboxes for onl&

adatum'com, there is no need for that bac%$end ser"er to ha"e a "irtual ser"er for

contoso'com' /f users from contoso'com are later added to that bac%$end ser"er, hoe"er, an

administrator ma& need to create a "irtual ser"er for contoso'com'

!imilarl&, &ou onl& ha"e to create "irtual directories for resources &our users ill reuire

access to' 5n a ser"er that has no public store, the public "irtual director& is not reuired'

6
http://go.microsoft.com/fwlink/?linkid=30849http://go.microsoft.com/fwlink/?linkid=30849http://go.microsoft.com/fwlink/?linkid=30849http://go.microsoft.com/fwlink/?linkid=30849


38/100

7sing Fire)alls in a Front-End and Back-

End Topology/f &our netor% is "isible to the /nternet, it is hihl& recommended that &ou use either a

softare or hardare fireall solution' *irealls control traffic to the netor% b& usin such

methods as port filterin, /P filterin, and, in ad"anced fireall solutions, application filterin'

#here are se"eral options for incorporatin a fireall into a front$end and bac%$end topolo&H

!cenarios for Deplo&in a *ront$End and +ac%$End #opolo&describes these options'

enerall&, it is recommended that &ou use an ad"anced fireall ser"er in &our topolo& ?for

more information about usin an ad"anced fireall, seeAd"anced *ireall in a Perimeter

etor%@'

+ort FilteringAt a minimum, an& fireall &ou use to help protect ser"ers from the /nternet must use port

filterin' Port filterin restricts the t&pe of netor% traffic that comes throuh the fireall b&

alloin access onl& to information sent to specific ports' *or example, &ou ma& confiure the

fireall facin the /nternet to accept onl& 4##P! traffic b& openin #CPG/P port 88-'

#he folloin to sections describe to important concepts related to #CPG/P connections:

source port "ersus destination port, and direction of the #CPG/P connection'

Source +ort versus estination +orthen computer A opens a #CPG/P connection to computer +, to ports are used: the source

port ?on computer A@, and the destination port ?on computer +@' #he netor% stac% on the

computer that initiates the connection enerall& selects source ports at random' Destination

ports are the ports on hich the specified ser"ice is listenin ?for example, port 88- for

4##P!@' /n this uide, an& reference to a port used b& a specific ser"ice refers to the

destination port'

irection of the T#+ #onnection

hen &ou open fireall ports, most firealls reuire &ou to specif& the direction of theconnection' *or example, to allo a front$end ser"er to contact bac%$end ser"ers, &ou must

open port 0 for 4##P traffic' 4oe"er, bac%$end ser"ers ne"er initiate ne #CPG/P

connections to the front$end ser"erH the& onl& respond to reuests that ere initiated b& the

front$end' #herefore, on &our fireall, &ou need to onl& enable allo 4##P port 0

connections from the front$end to the bac%$end' /n this uide, such connections are referred

to as =inbound= ?in other ords, the connections are inbound to the corporate netor%@'


39/100

&+ FilteringMan& fireall solutions also support /P filterin' /P filterin impro"es the reliabilit& of the

fireall b& alloin &ou to restrict traffic throuh the fireall to specific ser"ers' *or example,

in a perimeter netor%, &ou ma& ant to confiure D!Access to use specific domain

controllers and lobal catalo ser"ers, and then use /P filterin to ensure that the front$end

ser"ers connect to onl& those domain controllers and lobal catalo ser"ers'

!pplication FilteringAd"anced firealls such as /!A !er"er can pro"ide ad"anced inspection at the application

protocol le"el' #his inspection allos the fireall to perform functions such as filterin 3PC

interfaces and "alidatin 4##P reuest s&ntax' Application filterin is the main reason h&

usin an ad"anced f ireall in &our topolo& pro"ides the most securit&'

,elping to Secure #o''unication% #lientto Front-End Server

#o help secure data transmitted beteen the client and the front$end ser"er, it is hihl&

recommended that the front$end ser"er be !!9$enabled' Additionall&, to ensure that user

data is ala&s secure, access to the front$end ser"er ithout !!9 should be disabled ?this is

an option in the !!9 confiuration@' hen usin basic authentication, it is critical to protect

the netor% traffic b& usin !!9 to protect user passords from netor% pac%et sniffin'

$ote%

/f &ou do not use !!9 beteen clients and the front$end ser"er, data transmission to

&our front$end ser"er ill not be secure' /t is hihl& recommended that &ou confiure

the front$end ser"er to reuire !!9'

/t is recommended that &ou obtain an !!9 certificate b& purchasin a certificate from a

number of third$part& certification authorities' Purchasin a certificate from a certification

authorit& is the preferred method because the maorit& of brosers alread& trust man& of

these certification authorities'

Alternatel&, &ou can use Microsoft Certificate !er"er to install &our on certificationauthorities' Althouh installin &our on certificate authorit& ma& be less expensi"e, brosers

ill not trust &our certificate, and users ill recei"e a arnin messae indicatin that the

certificate is not trusted'

*or more information, see Microsoft nolede +ase article -202.1, =ICCC: #urnin on !!9

for Exchane 2000 !er"er 5utloo% eb Access'=

=
http://go.microsoft.com/fwlink/?LinkID=3052&kbID=320291http://go.microsoft.com/fwlink/?LinkID=3052&kbID=320291http://go.microsoft.com/fwlink/?LinkID=3052&kbID=320291http://go.microsoft.com/fwlink/?LinkID=3052&kbID=320291


40/100

#onfiguring SS1 in a Front-End and Back-EndTopology

>ou do not need to confiure !!9 on bac%$end ser"ers hen usin a front$end ser"er,

because the front$end ser"er does not support usin !!9 to communicate ith bac%$end

ser"ers' >ou can confiure !!9 on the bac%$end ser"ers for use b& clients that are directl&

accessin them'

hen 4##P is used to access data, bac%$end ser"ers need to enerate absolute


41/100

Accelerator cards are enerall& used directl& on the front$end ser"er, and the& offload the

encr&ption and decr&ption o"erhead' #his increases the throuhput of each connection and

decreases the amount of or% the softare on the ser"er must do'

External accelerator de"ices sit beteen the clients and the front$end ser"ers' #raffic comin

from the client is decr&pted on the accelerator de"ice and sent to the front$end ser"er

unencr&pted' 9i%eise, traffic from the front$end ser"er is sent to the accelerator de"ice

unencr&pted, and then it is encr&pted for transmission to the client'

#he most important factor to consider hen choosin hat t&pe of !!9 accelerator to use is

the number of front$end ser"ers in &our topolo&' /f &ou ha"e a small number of front$end

ser"ers, addin !!9 accelerator cards to each of them is a simple, cost$effecti"e a& to

offload !!9 duties' +ecause the !!9 decr&ption is done on the front$end ser"er, there is no

need for extra confiuration of the =*ront$End$4ttps: on= header for 5utloo% eb Access'

*or a lare number of front$end ser"ers, the cost of additional accelerator cards and theadministrati"e cost of storin and confiurin !!9 certificates on each ser"er e"entuall& is not

to be cost effecti"e' /n this case, a separate !!9 accelerator de"ice ma& be a more cost

effecti"e option for &our topolo& because it needs to be confiured onl& once, reardless of

the number of front$end ser"ers' #hese de"ices enerall& cost more than an accelerator card,

so eih the options in &our on topolo& to determine hich to use' eep in mind that for

5utloo% eb Access, an external !!9 de"ice must ha"e be able to notif& the front$end ser"er

that !!9 as used ith the =*ront$End$4ttps: on= header'

SS1 .ffloading

/f there is a separate ser"er beteen the client and the front$end ser"er that is offloadin the

!!9 decr&ption, the front$end ser"er is unaare that the oriinal reuest as created usin

!!9' /n this case, that ser"er must be able to pass the =*ront$End$4ttps: on= header to the

front$end ser"er, hich then passes it to the bac%$end ser"er'

/f &our !!9 offloadin ser"er does not support addin a custom header, &ou can install an

/nternet !er"er Application Prorammin /nterface ?/!AP/@ on the front$end ser"er to add this

header' *or information, see the Microsoft nolede +ase article -2;00, =4o to confiure

!!9 5ffloadin for 5utloo% eb Access in Exchane 2000 !er"er and in Exchane !er"er

200-'= Alternati"el&, &ou can confiure !!9 beteen the !!9 decr&ption ser"er and the front$

end ser"er' 4oe"er, if &ou added that separate ser"er to offload the additional traffic caused

b& !!9 encr&ption and decr&ption, this method defeats that purpose' #his method ould stillallo that separate ser"er to filter the traffic'

A separate !!9 accelerator de"ice ma& be a more cost$effecti"e option for &our topolo&

because it needs to be confiured onl& once, reardless of the number of front$end ser"ers'

#hese de"ices enerall& cost more than an accelerator card, so eih the options in &our

on topolo& to determine hich to use' eep in mind that for 5utloo% eb Access, an

external !!9 de"ice must be able to notif& the front$end ser"er that !!9 as used ith the

=*ront$End$4ttps: on= header'

3
http://go.microsoft.com/fwlink/?linkid=3052&kbid=327800http://go.microsoft.com/fwlink/?linkid=3052&kbid=327800http://go.microsoft.com/fwlink/?linkid=3052&kbid=327800http://go.microsoft.com/fwlink/?linkid=3052&kbid=327800http://go.microsoft.com/fwlink/?linkid=3052&kbid=327800http://go.microsoft.com/fwlink/?linkid=3052&kbid=327800http://go.microsoft.com/fwlink/?linkid=3052&kbid=327800


42/100

For's-Based !uthentication/f &ou are usin forms$based authentication ith !!9 offloadin, &ou ill need to confiure

&our Exchane front$end ser"ers to be able to handle this scenario' *or detailed instructions,

see 4o to Enable *orms$+ased Authentication hen R95CA9RMAC4/ES!>!#EMSCurrentControl!etS!er"icesSM!ExchaneebS

5A

-' 5n the Editmenu, point to $e), and then clic% /.* alue'

8' /n the details pane, name the ne "alue SS1.ffloaded'

' Clic% the SS1.ffloadedD53D "alue, and then clic% Modify'

6' /n Edit /.* alue, under Base, clic% eci'al'

;' /n the alue atabox, enter the "alue '

32


43/100

' Clic% .('

$ote%

>ou must restart the -!7C ser"ice for these chanes to ta%e effect'

For More &nfor'ation *or more information, see:

Considerations hen Deplo&in a *ront$End and +ac%$End #opolo&

=4o to Enable *orms$+ased Authentication= in the Exchane !er"er 200- Client

Access uide'

Securing #o''unication% Front-End to.ther Servers

4##P, P5P, and /MAP communication beteen the front$end ser"er and an& ser"er ith

hich the front$end ser"er communicates ?such as bac%$end ser"ers, domain controllers, and

lobal catalo ser"ers@ is not encr&pted' hen the front$end and bac%$end ser"ers are in a

trusted ph&sical or sitched netor%, this is not a concern' 4oe"er, if front$end and bac%$

end ser"ers are %ept in separate subnets, netor% traffic ma& pass o"er unsecured areas of

the netor%' #he securit& ris% increases hen there is reater ph&sical distance beteen the

front$end and bac%$end ser"ers' /n this case, it is recommended that this traffic be encr&pted

to protect passords and data'

&+ Security 8&+Sec9indos supports /P!ec, hich is an /nternet standard that allos a ser"er to encr&pt an& /P

traffic, except traffic that uses broadcast or multicast /P addresses' enerall&, &ou use /P!ec

to encr&pt 4##P trafficH hoe"er, &ou can also use /P!ec to encr&pt all traffic'

ith /P!ec &ou can:

Confiure to ser"ers that are runnin indos to reuire trusted netor% access'

Exchane data that is protected from modification ?usin a cr&ptoraphic chec%sum on

e"er& pac%et@'

Encr&pt an& traffic beteen the to ser"ers at the /P la&er'

/n a front$end and bac%$end topolo&, &ou can use /P!ec to encr&pt traffic beteen the front$

end and bac%$end ser"ers that ould otherise not be encr&pted'

3
http://go.microsoft.com/fwlink/?LinkId=47568http://go.microsoft.com/fwlink/?LinkId=47568http://go.microsoft.com/fwlink/?LinkId=47568http://go.microsoft.com/fwlink/?LinkId=47568


44/100

&+Sec +rotocols#he method in hich data is secured usin /P!ec depends on hich protocol is used:

Authentication 4eader ?A4@ or Encapsulatin !ecurit& Pa&load ?E!P@' ith A4, the pac%ets

are not encr&ptedH A4 adds a chec%sum to the /P pac%et' A4 uarantees that the pac%et

came from the expected host, as not impersonated, and as not modified in transit' A4

uses /P protocol 1' E!P, hich uses /P protocol 0, encr&pts the entire contents of the /P

pac%et' +oth forms of /P!ec pro"ide a reliable and trusted communication channel that an

attac%er cannot easil& insert data into or interrupt'

/P!ec encr&ption affects the performance on both the front$end and bac%$end ser"ersH the

precise extent to hich it affects performance, hoe"er, depends on the t&pe of encr&ption

used'

&+Sec +olicy>ou should confiure /P!ec on the bac%$end ser"ers so that the& respond appropriatel& hen

the& recei"e a reuest for /P!ec communication' 4oe"er, the bac%$end ser"ers should not

reuire that all communication from all clients be encr&pted usin /P!ec'

indos has three /P!ec policies installed b& default' !elect the =Client ?respond onl&@=

polic& for the bac%$end ser"er' ith this polic& enabled on the bac%$end ser"er, the front$end

ser"er can use /P!ec to communicate safel& ith the bac%$end ser"er, hile other clients

?includin earlier "ersions of MAP/ clients li%e Microsoft 5ffice 5utloo%2002@ and ser"ers

can communicate ith the bac%$end ser"er ithout needin to use /P!ec'

&+Sec )ith Fire)alls and Filtering *outershen a fireall or filterin router is used beteen the front$end and bac%$end ser"ers, the

filters must allo /P!ec to pass throuh it'

$ote%

/P!ec does not or% if there is a etor% Address #ranslation ?A#@ ser"er beteen

the perimeter netor% and the corporate netor%'

hen usin /P!ec, confiure the ports as follos:

,TT+ 8T#+ port


45/100

for the neotiation data pac%ets' /t establishes and maintains the /P!ec connections,

named securit& associations'

&+ protocol 40 or 4 Allo either /P protocol 0 ?A4@ or /P protocol 1 ?E!P@,dependin on the protocol &ou are usin'

7+ port


46/100


47/100

Scenarios for eploying a Front-End and

Back-End Topology#his topic discusses common scenarios here Exchane front$end and bac%$end topolo& is

deplo&ed' #he scenarios can be broadl& di"ided into intranet and extranet scenarios, ith the

intranet scenarios focused on performance and scalabilit& and the extranet scenarios focused

on securit&'

/n each scenario, the folloin topics are discussed:

!cenario hat is the scenario, and hen does it appl&(

!etup instructions 4o to set up the scenario, in eneral terms' ?!pecific confiuration

instructions are co"ered later in this uide'@

Discussion hat is special about this scenario( 4o does it or%( hat additional

information is reuired to ma%e decisions about this scenario(

/ssues Ca"eats or limitations of this scenario'

Each of the folloin four scenarios reuires a fireall' >ou can use softare and hardare

solutions as a fireall' Port filterin is the minimum reuirement for a fireall that protects the

ser"er from the /nternet'

!dvanced Fire)all in a +eri'eter $et)ork

#he folloin fiure illustrates an ad"anced fireall scenario, in hich an ad"anced fireall is

put inside the perimeter netor%, beteen the /nternet fireall and the internal fireall' *ront$

end and bac%$end ser"ers are put in the same netor% behind the internal fireall' #his is the

recommended topolo& for the folloin reasons:

/t pro"ides securit& b& isolatin intruders from the rest of the netor%'

/t pro"ides application protocol filterin'

/t performs additional "erification on reuests before it proxies them to the internal

netor%'

$ote%

As an alternati"e to placin the ad"anced fireall ser"er ithin a perimeter netor%

behind a separate /nternet fireall, the ad"anced fireall ser"er itself can function as

the /nternet fireall'

36


48/100

Exchange front-end server "ehind an advanced fire)all

ScenarioA corporation places an ad"anced fireall such as /!A !er"er beteen to separated

firealls' #he corporationFs decision to set up this ad"anced fireall topolo& is based on the

folloin benefits:

Ad"anced firealls pro"ide additional securit& to the netor% b& protectin aainst

unauthoriBed access, inspectin traffic, and alertin the netor% administrator to attac%s'

Ad"anced firealls enable &ou to use such methods as port filterin and /P filterin to

control traffic'

Ad"anced firealls allo &ou to restrict access b& users and roups, application t&pe,

time of da&, content t&pe, and destination sets'

Setup &nstructions*or detailed setup instructions, see 4o to !et


49/100

iscussion/!A !er"er contains to t&pes of rules:

!er"er publishin rules #hese rules, hich can appl& to an& protocol, inspect incomin

reuests at the recei"in port' /f an incomin reuest is alloed, the protocol rule

forards it from the recei"in port to an internal /P address'

eb publishin rules #hese rules appl& to 4##P or 4##P! ?0G88-@ reuests onl&' >ou

can set up eb publishin rules to filter incomin reuests based on the ser"ice t&pe,

port, source computer name, and destination computer name' >ou can also allo onl&

specific ser"ers or den& hih$ris% ser"ers'

/f &ou are supportin 4##P clients, create a eb publishin rule to handle 4##P or 4##P!

traffic' /f &ou are supportin P5P or /MAP clients, create ser"er publishin rules to handle

these protocols'


50/100

the reuest to the front$end ser"er must match the name or /P address of the front$end

ser"er'

#o confiure !!9 in /!A !er"er, use the Bridgingtab in the eb publishin ser"er rule todirect !!9 traffic' /f &ou are hostin multiple domains and ant to use !!9, &ou must set up a

listener and a different /P address for each domain' #his is because the certificates must be

named so that the& match the destination names or /P addresses'

,o) to Set 7p a Front-End and Back-EndTopology )ith an !dvanced Fire)all in a+eri'eter $et)ork

>ou can create a front$end and bac%$end topolo& ith an ad"anced fireall' #he folloin

fiure illustrates the front$end and bac%$end scenario ith an ad"anced fireall' /n this

scenario, &ou place the ad"anced fireall ser"er inside the perimeter netor% and beteen

the /nternet fireall and the internal fireall' >ou place front$end and bac%$end ser"ers in the

same netor% behind the internal fireall'

Exchange front-end server "ehind an advanced fire)all

40


51/100

Before ?ou Begin+efore &ou perform the procedure in this topic, it is important that &ou first read the folloin:

!cenarios for Deplo&in a *ront$End and +ac%$End #opolo&


52/100

nolede +ase article -0;-8;, =!ecure 5A Publishin +ehind /!A !er"er Ma&

3euire Custom 4##P 4eader'=@

Front-End Server "ehind a Fire)all

#he folloin fiure illustrates a front$end and bac%$end topolo& here the front$end ser"er

is behind the fireall'

! si'ple Exchange fire)all topology

Scenario#o achie"e securit& and still pro"ide access to 5utloo% eb Access, P5P, or /MAP from the

/nternet, a corporation ants to put the Exchane s&stem behind the corporate fireall'



53/100

iscussion+ecause the hole confiuration is inside the fireall, Exchane does not reuire an& special

confiuration' After a reuest comes throuh the fireall to the front$end ser"er, the front$end

ser"er returns a response ithout an& confiuration chanes'

/P address filterin is hihl& recommended to limit reuests throuh the fireall to onl& those

oin to the front$end ser"er ?or ser"ers@ that are runnin Exchane and bloc% reuests

throuh the fireall to other ser"ers in the oraniBation'

,o) to Set 7p a Front-End and Back-EndTopology )ith a Front-End Server

Behind a Fire)all

>ou can create a front$end and bac%$end topolo& ith a front$end ser"er behind fireall' #he

folloin fiure illustrates the front$end and bac%$end scenario ith a front$end ser"er behind

a fireall'

! si'ple Exchange fire)all topology



4


54/100


55/100

ScenarioA corporation is deplo&in 5utloo% eb Access to 200,000 users' #he oal is to ha"e a sinle

namespace ?for example, https:GGmail@ in hich users can reach their mailboxes' Additionall&,

for performance reasons, the corporation ants to a"oid ha"in a bottlenec% at the front$end

ser"er or a sinle point$of$failure, so the& ant to spread the load o"er multiple front$end

ser"ers b& usin etor% 9oad +alancin ?9+@' #his scenario is referred to as a =eb

*arm'=

$ote%

Althouh this is the onl& scenario that depicts 9+, &ou can use 9+ to distribute

load amon front$end ser"ers in an& of the scenarios described in this uide'


ou place multiple front$end ser"ers behind a fireall'

44


56/100

Front-end and "ack-end topology in a /e" far'




57/100

Exchange front-end server in a peri'eter net)ork

Scenario/n this fiure, the corporation places the front$end ser"er beteen to separated firealls'

#he first fireall separates the front$end ser"er from the /nternet and allos reuests onl& to

that front$end ser"er' #he second fireall separates the front$end ser"er from the internal

netor%' #he s&stems beteen the to firealls lie in hat is %non as a perimeter netor%

?also %non as a DMT, demilitariBed Bone, and screened subnet@' A perimeter netor%

confiuration pro"ides more securit& because if the front$end ser"er is compromised, there is

still another barrier beteen the intruder and the rest of the netor%'

$ote%

Placin front$end ser"ers inside the perimeter netor% is one approach to deplo&in

front$end and bac%$end topolo& ithin a perimeter netor%' 4oe"er, the

recommended approach is depicted in the first scenario,Ad"anced *ireall in a

Perimeter etor%' #his approach in"ol"es placin the front$end and bac%$end

ser"ers inside the intranet and placin an ad"anced fireall ?such as /!A !er"er@ in

the perimeter netor%' #he ad"anced fireall can pro"ide application protocol filterin

and perform additional authentication on reuests before it proxies them to the

internal netor%'



58/100


59/100

,o) to Set 7p a Front-End and Back-End

Topology )ith a Front-End Server in a+eri'eter $et)ork

>ou can create a front$end and bac%$end topolo& ith a front$end ser"er in a perimeter

netor%' #he folloin fiure illustrates the front$end and bac%$end scenario ith a front$end

ser"er in a perimeter netor%' /n this scenario, &ou place the front$end ser"er beteen the

/nternet fireall and the internal fireall'

Exchange front-end server in a peri'eter net)ork




60/100

to onl& the ports reuired and to onl& the desinated front$end ser"er'

2' Confiure the inner ?intranet@ fireall to ha"e certain ports open to support

authentication, D!, and Acti"e Director& access' #he exact list depends on thebalance of securit& and features that each corporation chooses'

For More &nfor'ation*or information about ho to confiure /nternet and intranet firealls, see Confiurin

*irealls'

#onfiguring Exchange Front-End Servers

A front$end ser"er is an ordinar& Exchane ser"er until it is confiured as a front$end ser"er'

A front$end ser"er must not host an& users or public folders'

A front$end ser"er must be a member of the same Exchane oraniBation as the bac%$end

ser"ers ?therefore, a member of the same indos forest@'

*or detailed instructions about ho to desinate an Exchane ser"er as a front$end ser"er,

see 4o to Desinate a *ront$End !er"er'

,o) to esignate a Front-End ServerA front$end ser"er is an Exchane ser"er that accepts reuests from clients and proxies

them to the appropriate bac%$end ser"er for processin'

Before ?ou Begin#o successfull& complete the procedures in this topic, confirm the folloin:

#he ser"er that &ou ill desinate as a front$end ser"er is a member of the same

Microsoft indos forest as the bac%$end ser"ers'

#he ser"er that &ou ill desinate as a front$end ser"er is a member of the same

Exchane oraniBation as the bac%$end ser"ers'

50


61/100

+rocedure

To designate a front-end server

1' /nstall the ser"er that ill be runnin Exchane !er"er in the oraniBation'

$ote%

ith Exchane2000 !er"er, onl& Enterprise Edition ser"ers can be

confiured as front$end ser"ers' /n Exchane !er"er 200-, both !tandard

Edition and Enterprise Edition can be confiured as front$end ser"ers'

2'


62/100

#reating ,TT+ irtual Servers

>ou must use Exchane !&stem Manaer, not /nternet !er"ices Manaer hen &ou create"irtual ser"ers' hen &ou create "irtual ser"ers in Exchane !&stem Manaer, &ou do not

need to simplif& the


63/100

/f the "irtual ser"er points to a public folder, select the appropriate public folder to

act as the root public folder for this "irtual ser"er'

-' Clic% !dvanced, and then add host headers that define all the names a client mihtuse to contact this front$end ser"er'

$ote%

/f a front$end ser"er is used internall& and externall&, it is recommended that

&ou list both a hostname and a full& ualified domain name'

#onfiguring !uthentication

/t is hihl& recommended that &ou use dual authentication, in hich both front$end and bac%$

end ser"ers are confiured to authenticate users' +& default, front$end ser"ers are c

fontend_backend exchage mail

Documents