Locking Down Front-end and Back-end Server Communications

The very nature and capabilities of a front-end (FE) and back-end (BE) Exchange Server 2003 configuration lends itself to a more secure environment. An FE server hosts only the Internet Information Services (IIS) virtual server that provides the interface to users and communicates with the BE virtual server. It should not, by definition, host Exchange information stores containing messaging data. Only the back-end servers contain information stores so that messaging data is not easily accessible from outside the organization.

TCP and UDP Ports

Many organizations place FE servers in the perimeter network (also known as the DMZ) to segment the internal network from those servers requiring some degree of exposure to the Internet. As a result, ports must be opened on the firewall to enable for the FE and BE servers to communicate. Other ports might also be necessary depending on the services being offered and the configuration of the messaging environment.

Table 13.1 lists the common inbound ports to open to the OWA FE servers.

Table 13.1. Inbound Ports to the OWA FE

Table 13.2 lists the commonly required ports between FE and BE Exchange Server 2003 servers. Some of these ports are optional, and the specific ports that the organization might require will vary depending on the messaging environment.

Table 13.2. Commonly Used Ports Between FE and BE Exchange Servers

The ports listed in Table 13.3 are optional.

Table 13.3. Optional Ports Between FE and BE Exchange Servers

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.