Configuring Front-end and Back-end Servers

Exchange 2000 previously required that all front-end servers run the Enterprise version of Exchange to be able to run as a front-end server. This is no longer the case in Exchange Server 2003, and the Standard version of the software will be able to run as a front-end server. To configure a front-end server, use Exchange System Manager to access the properties of the front-end server and click the check box This is a front-end server, as shown in Figure 10.4.

After the server has been made into a front-end server, the Exchange POP3, Exchange IMAP, and World Wide Web Publishing Service services must be restarted, as shown in the prompt in Figure 10.5.

Unless the front-end server will be accessed by an alias name , the configuration is complete. If the server will be accessed by one or more alias names , a custom virtual server and virtual directories need to be created on the front-end server, and a corresponding HTTP virtual server and virtual directories should be created on the back-end servers.

Using the Default HTTP Virtual Server for Internet Clients

Most organizations use front-end and back-end servers to support Internet clients, and this type of configuration is demonstrated in the following section. This section provides a best-practice solution to support Internet clients with the default HTTP Virtual server configuration. Much of the information in the industry regarding configuring front-end/back-end servers is conceptually crystal clear but extremely vague when it comes to the implementation. To complete the front back-end server configuration:

1. Verify that the This is a front-end server check box is marked in Exchange System Manager. Don't restart any services or reboot yet.

2. Create an alias name in the external DNS for the HTTP front-end server, such as Webmail.companyabc.com .

   NOTE

   This front-end server alias could also be used on the internal DNS, as if internal clients also will be using the front-end server.

3. Add the DNS alias as a Host Header to the Default Web site in Internet Service Manager on the front-end server.

4. Configure the simplified URL mentioned earlier in this section to automatically redirect clients to the /exchange Web site when they connect to the front-end server. Also mark this redirection as permanent.

5. In Internet Services Manager, disable Integrated Windows Authentication and verify that Basic Clear Text Authentication is selected on the Default Web site on the front-end server. Propagate these settings to the other Web sites on the front-end server when prompted after clicking Apply or OK.

6. Reboot the front-end server.

7. Do not make any changes to the back-end server's HTTP virtual server or virtual directory configuration.

8. Test the configuration internally.

9. Configure the Default Web Site for SSL authentication. See the section "Using SSL to Secure Access to the Front-end Server," later in this chapter.

10. Retest the configuration internally.

11. Optimize the front-end server by disabling unnecessary services and removing unnecessary databases.

12. Open port 443 for SSL access to the front-end server through the firewall and perform other firewall configurations if necessary.

13. Retest the front-end server access from the Internet.

Configuring the Back-end Server

If the organization chooses to use the default HTTP virtual server on the front-end server and internal and external HTTP clients will be serviced by the same front-end server, no configuration is necessary on the back-end server. However, if the front-end server is isolated from internal clients through a firewall, it might be necessary to have internal HTTP clients access the back-end server directly. If this is the case, it might be necessary to configure an alias name, such as webmail.companyabc.com in the internal DNS. Another option organizations may consider to support internal clients is to use the simplified URL mentioned earlier in this chapter and either SSL or Integrated Windows Authentication, the default authentication method for back-end servers.

As previously mentioned, it is possible to use one HTTP virtual server for all front-end servers with either the default or custom-configured HTTP virtual servers. With custom configurations, organizations also have the choice to configure one virtual server on the back-end server per front-end server. To configure additional HTTP virtual servers to support custom configurations, right-click on the HTTP protocol folder under the back-end server in Exchange System Manager and select New Virtual Server. Figure 10.6 shows a custom virtual server being configured for all front-end servers.

The next step is to create the virtual directories. Create the virtual directories by right-clicking the HTTP virtual server and selecting New Virtual Directory. Two virtual directories should be created, one directory for mailboxes and the other for public folders. It's best to use the names Exchange and public if the virtual directories will allow access to all public folder trees and the entire domain for mailboxes. No other settings need to be changed when creating the virtual directories unless authentication needs to be disabled on the front-end server. The next step is to create the same HTTP virtual server and directories on every back-end server that contains mailboxes that will be accessed through the front-end server. Finally, verify that the HTTP virtual server and virtual directory configuration have been created on all front-end servers.

Using SSL to Secure Access to the Front-end Server

To use SSL to secure client access to the front-end server, the server requires a certificate. Certificates can be generated through Certificate Services or by a third-party CA. After the certificate is created, it should be installed on the Exchange virtual server that was created for the front-end server. If the default Exchange virtual server is being used for the front-end server, the certificate should be added to the default Web site.

If you are using an HTTP virtual server other than the default on the front-end server, and if clients access the front-end server through a redirection on the default Web site, the certificate also should be installed on the default Web site.

To request and install a certificate, open Internet Services Manager and access the properties of the Web site. Select the Directory Security tab and click the Server Certificate button. This accesses the Web Server Certificate Wizard, which will step you through requesting or installing the certificate.

After the certificate is installed on the Web site, SSL must be enabled so that the server will accept requests only over SSL. To enable SSL, access the Web site properties through Internet Services Manager and select the Directory Security tab. Click the Edit button under Secure Communications and check the box for Require secure channel (SSL), as shown in Figure 10.7. Check the Require 128-bit encryption box only if the client's browsers support 128-bit encryption; otherwise , the client will be denied access.