Lesson 4: Front-End and Back-End Servers | MCSA/MCSE Self-Paced Training Kit (Exam 70-284): Implementing and Managing MicrosoftВ® Exchange Server 2003 (Pro-Certification)

In a small organization, it is typical to install a server running Exchange Server 2003 and have it perform all of the Exchange-related tasks—host Internet virtual servers, host mailboxes, etc. In larger organizations with more complex network infrastructures, including the use of multiple firewalls, demilitarized zones (DMZs, also known as perimeter networks), and the sheer number of Exchange servers, it is often advantageous to split the roles of Exchange Server into a front-end and back-end configuration. The use of a front-end and back-end configuration needs to be carefully planned prior to installing Exchange Server 2003 servers into the organization. This is especially true when you are planning a large-scale deployment involving a number of Exchange Server 2003 servers and complex network and server access requirements from outside the firewall.

After this lesson, you will be able to

Understand front-end and back-end server concepts
Identify scenarios where you would use a front-end and back-end configuration

Estimated lesson time: 15 minutes

Front-End and Back-End Architecture

Having a front-end and back-end architecture allows you to manage Internet access protocols on a server that is separate from servers where mailbox and public folder stores are located. By splitting the functionality between servers, front-end servers handle incoming client connections while back-end servers are dedicated to running the mailbox and public folder stores.

All front-end and back-end servers must be in the same Active Directory forest. With Exchange 2000 Server, front-end servers were required to run the Enterprise Edition, but Exchange Server 2003, Standard Edition, supports configuration as a front-end server. A characteristic of, and in fact a requirement of, front-end servers is that they cannot host any mailboxes or public folders—in other words, no mailbox or public folder stores.

Benefits of Front-End and Back-End Architecture

Front-end and back-end architecture provides the following benefits:

Unified namespace In a large organization with many Exchange servers, using front-end servers simplifies the administration. The primary advantage of front-end and back-end server architecture is the ability to have a single, consistent namespace through which users can access their mailboxes when there is more than one server (for example, http://www.contoso.com/exchange for Outlook Web Access). Users do not need to know the names of the servers that store their mailboxes, and if you want to move users' mailboxes from one server to another, there is no need to reconfigure the client computers.
Reduced overhead for SSL When connections are made using Secure Sockets Layer (SSL), information is encrypted and decrypted, which is processor-intensive and can negatively affect server performance. In a front-end and back-end configuration, the front-end server can process the encryption with the client, and the front-end server and back-end servers communicate without the overhead of SSL encryption. The result is improved performance and a greater number of users that can be supported than if you were using a single server.
Firewalls You can place the back-end server behind a firewall that is configured to allow only traffic from the front-end server. You can also place the front-end server on or behind an Internet firewall that is configured to allow Internet traffic only to the front-end server; the front-end server provides an additional layer of security because it does not contain user information. You can also configure the front-end server to authenticate requests before sending them to the back-end server; this configuration protects back-end servers from most denial of service (DoS) attacks.

The front-end server does not require much disk storage, but it should have a fast central processing unit (CPU) and a large amount of memory. If you enable SMTP on the front-end server, you should back up the hard disks because SMTP commits queued mail to the local disk. In addition, if the front-end server faces the Internet and accepts messages from Internet users, ensure that you have adequate virus scanning installed on the server.

Tip

To increase performance, you can use an SSL accelerator card on the front-end server, or you can position an external SSL accelerator device between the clients and the front-end server. If you have a small number of front-end servers, an SSL accelerator card is simple and cost-effective. For a large number of servers, an external accelerator is more cost-effective because you need to store and configure an SSL certificate only once.

Front-End and Back-End Scenarios

The following are scenarios in which front-end and back-end architecture is commonly used.

Standard Front-End and Back-End Topology

To maintain a single namespace for e-mail servers while distributing users among several servers, you could designate a single server as a front-end server and have several back-end mailbox servers. In this scenario, you direct HTTP, POP3, and IMAP4 users to the front-end server and ensure that all virtual servers and virtual directories on the front-end server are configured identically on the back-end servers. By doing this, you could supply all external users with a common mail server name to access without having to worry about which server actually holds an individual's mailbox. The front-end server would communicate with the back-end server to find the appropriate mailbox and transfer message data as necessary.

Front-End Server Behind the Firewall

One of the biggest benefits of a front-end and back-end architecture is with respect to making e-mail services available to Internet-based users. A common e-mail service that Exchange Server provides is Outlook Web Access (OWA), which integrates with IIS to make user mailboxes and public folders available to users by accessing them through a Web browser. To achieve security and still provide access to OWA, POP3, or IMAP4 from the Internet, you can place the Exchange organization behind the corporate firewall. At a minimum, the firewall must use port filtering to protect the front-end server from the Internet. If your firewall solution supports Internet Protocol (IP) address filtering, you should configure IP address filtering to accept requests that are directed to the front-end server and to block requests that are directed to other servers in the organization. By using this type of configuration, external users are unable to connect to anything except the specific mail ports on the front-end server and are unable to access the back-end servers (or other servers) directly. This provides an additional level of security over the standard front-end and back-end topology.

Load Balancing on the Front-End Server

To provide a single namespace through which users can access mailboxes while avoiding a bottleneck or single point of failure on the front-end server, use Network Load Balancing to spread the load over multiple front-end servers. The load-balancing solution you use should ensure that each user is always sent to the same front-end server for the duration of a session. Network Load Balancing requires the Enterprise Edition of Windows 2000 Server or Windows Server 2003.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and then try the question again. You can find answers to the questions in the "Questions and Answers" section at the end of this chapter.

Describe three reasons that you would want to use a front-end and back-end server architecture.
What versions of Exchange Server can be configured as front-end servers?
1. Exchange Server 2000, Standard Edition
2. Exchange Server 2000, Enterprise Edition
3. Exchange Server 2003, Standard Edition
4. Exchange Server 2003, Enterprise Edition
You are part of a team that is planning a large-scale Exchange Server 2003 deployment. Part of your role in the design is to research and recommend a solution to the problem of managing the remote access of mailboxes on 100 servers running Exchange Server 2003. Approximately 25,000 users will be accessing their mailboxes with connections coming into the network from the Internet, utilizing OWA and POP3. These connections from the Internet are not over a virtual private network (VPN), so they are unsecured. You know that you will recommend using front-end servers so the Exchange Server 2003 administration team will have an easier time managing remote access to the user mailboxes, but what type of configuration would be most appropriate for the needs of the organization?
You are a senior Exchange administrator for Contoso, Ltd., which has recently acquired Fabrikam, Inc. The companies have not yet fully merged and so are still two distinct Active Directory forests. You have been asked to begin to merge the Exchange Server 2003 organizations. You want to configure Contoso's front-end server infrastructure to support Fabrikam's servers running Exchange Server 2003. This would make remote user access consistent between organizations as everyone could use the same server addresses when configuring their mail clients. When you present your plan to the Exchange steering committee, consisting of senior Exchange administrators from both Contoso and Fabrikam, the plan is rejected. Why?

Lesson Summary

Front-end and back-end server architecture is an effective means of simplifying mail and folder access to remote external users through a unified namespace.
Front-end and back-end server architecture can be used to create a more secure Exchange environment by preventing external users from directly accessing servers that contain mailbox data.
Front-end and back-end server architecture can reduce the burden on mailbox servers by allowing front-end servers to process SSL between the client and the front-end server.