Enterprise Server Strategies for the CIOCan you put Exchange back end server on a different domain and front end in different domain with different domain names? How does OAW work with different domain name?
Requires Free Membership to View
With that in mind, let's think about the Exchange FE/BE configuration. As you can probably tell already, if you put a FE Exchange Server on the DMZ, you have broken your DMZ security zone, because the FE Exchange Server must be a member of the same domain as your internal network BE Exchange Server. While you can do this, it is rather difficult to allow intradomain communication across the ISA Server. You can see how to do this at www.isaserver.org/shinder. The only MS approved way of allowing intradomain communication across the ISA Server is to create a VPN connection between a DMZ host and the external interface of the ISA Server. This solution, while possible, is tricky because keeping the VPN interface active can be problematic and requires someone to 'baby sit' the connection more than you might like.
You should put both the FE and the BE Exchange Servers in the same domain and put both of them on a LAT segment on the internal network. Then you can use IPSec filtering to control inbound and outbound access to and from that segment. Another option is to use RRAS routing if both segments are directly connected to the ISA Server itself. As you can see, there are a lot of options for creating a 'screened subnet,' even though that subnet is on a LAT segment.
Finally, remember that the FE/BE configuration is not a security configuration. It's a fault tolerance and load balancing configuration. If you require fault tolerance and load balancing, then the FE/BE configuration is for you. If not, you might just want to configure a normal Exchange Server setup.
This was first published in March 2002
Join the conversationComment
Share
Comments
Results
Contribute to the conversation