< Day Day Up > |
The very nature and capabilities of a front-end (FE) and back-end (BE) Exchange Server 2003 configuration lends itself to a more secure environment. An FE server hosts only the Internet Information Services (IIS) virtual server that provides the interface to users and communicates with the BE virtual server. It should not, by definition, host Exchange information stores containing messaging data. Only the back-end servers contain information stores so that messaging data is not easily accessible from outside the organization. TCP and UDP PortsMany organizations place FE servers in the perimeter network (also known as the DMZ) to segment the internal network from those servers requiring some degree of exposure to the Internet. As a result, ports must be opened on the firewall to enable for the FE and BE servers to communicate. Other ports might also be necessary depending on the services being offered and the configuration of the messaging environment. Table 13.1 lists the common inbound ports to open to the OWA FE servers. Table 13.1. Inbound Ports to the OWA FE
Table 13.2 lists the commonly required ports between FE and BE Exchange Server 2003 servers. Some of these ports are optional, and the specific ports that the organization might require will vary depending on the messaging environment. NOTE SSL cannot be used between an FE and BE server. If the organization's security policy dictates that communication between the FE and BE servers is encrypted, implement IPSec. Table 13.2. Commonly Used Ports Between FE and BE Exchange Servers
The ports listed in Table 13.3 are optional. Table 13.3. Optional Ports Between FE and BE Exchange Servers
TIP To avoid having to leave a large number of RPC ports open, statically map them to a standardized port number. To statically map the port, create a registry key value called TCP/IP Port of type REG_DWORD in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters. |
< Day Day Up > |