Understanding Front-End Servers

Front-end servers are deployed in an Exchange Server architecture that distributes server tasks among front-end and back-end servers. In this architecture, a front-end server accepts requests from clients and proxies them to the appropriate back-end server for processing and management of the information store. Exchange Server 2003 enhances the front-end and back-end server architecture of Exchange 2000 and adds new features and capabilities, such as RPC over HTTP communication, that enables users with Outlook 2003 clients to access their Exchange information from the Internet. In addition, the HTTP communication between front-end and back-end servers is enabled with Kerberos authentication by default; no longer is it necessary to configure and enable IPSec server-to-server communication unless the server is in a public network. Moreover, the scalability of the exchange organization is now enhanced because the topology can grow as the organization grows; back-end servers can easily be added to handle additional users, connections, or processing requests. Finally, the standard version of Exchange Server 2003 can also be configured as a front-end server, reducing initial software costs.

Using front-end and back-end server technology also provides the following advantages both for remote users accessing email over the Internet and users who are located on the internal network:

• Single Namespace A single, consistent namespace such as https://Outlook Web Access Server/exchange for mailbox access allows administrative flexibility when adding or removing back-end servers, without affecting users who are accessing the front-end server. A single namespace also remains scalable for HTTP, POP, or IMAP access as the organization grows and reduces the number of server SSL certificates, because client computers are using SSL to the same servers and namespace.

• Offloading of SSL encryption and decryption SSL traffic presents a large overhead for Exchange servers. In a front-end and back-end setup, the front-end server assumes the load of the SSL encryption, freeing up the back-end server to handle email requests and processing only, improving overall email performance for the users.

• Improved Public Folder access Because a front-end server knows the state of a back-end server, the front-end server can provide multiple requests to public folder data and system data, such as calendar free/busy information. Exchange 2003 enhances the usability of OWA when using a front-end server by allowing OWA users to read, reply, and forward public folder postings. Public folder posts can be read only in a nonfront-end server topology.

• Security The front-end server can be positioned as the single point of access in front of or behind a firewall. It contains no user data stored in the server and acts as an additional layer of security for the exchange organization against Denial of Service attacks, authenticating requests before proxying them to the back-end servers. Any services that are not needed can be disabled on these servers for further security hardening.

Note

These are just a few of the advantages provided by a front-end/back-end server architecture. To fully understand the advantages of this architecture, check out whitepapers available on the Microsoft Exchange website at http://www.microsoft.com/exchange/default.mspx.

Typical Scenarios for Front-End Servers

There are common implementation scenarios for front-end and back-end server architecture. The first implementation involves email clients (Outlook, POP, or IMAP, OWA [HTTP], OMA [HTTP]) and a network or Internet connection to the front-end server that is serving requests to the back-end server over the internal network. As shown in Figure 2.1 and 2.2, this configuration involves limited security with the front-end server acting as a single layer of protection between the network or Internet and the back-end Exchange server.

The second scenario, shown in Figure 2.3, involves more security that includes an advanced firewall, such as Microsoft's Internet Security and Acceleration (ISA) service configured with Service Pack 1 and the latest feature packs. The advanced firewall is located between the network or Internet and the front-end server.

This configuration provides greater security and limits the front-end server's exposure to unwanted intruders. The firewall becomes the focal point for Denial of Service attacks and intrusion/penetration attacks rather than the front-end server. This scenario represents the recommended configuration for front-end and back-end server architecture.