Re: OWA in DMZ - HowTo
- From: "Aaron Guilmette" <aguilmette@xxxxxxx>
- Date: Mon, 20 Jun 2005 14:27:32 -0400
Yes, you need to install Exchange on the FE servers, and then select
"Front-End Server" in Exchange System Manager for the server(s) that will be
in the DMZ. Your FE's need to be a member of the domain in order to install
Exchange and join the organization.
Additionally, you'll need to open a bunch of ports on your firewalls:
Firewall ports to open / ensure open to outside world from OWA / SMTP
servers
- 25, Internet to OWA (if OWA is also acting as SMTP router)
- 443, Internet to OWA (80 if you're not using SSL)
Firewall ports to open / ensure open between OWA and Active Directory /
Exchange back-end servers
- MAIL ROUTING
- 25 TCP, OWA to Exchange BE (if OWA is also acting as SMTP router)
- 80 TCP, OWA to Exchange BE
- 691 TCP, OWA to Exchange BE
- DIRECTORY SERVICES / AUTHENTICATION
- 389 UDP, OWA to Active Directory
- 389 TCP, OWA to Active Directory
- 3268 TCP, OWA to Active Directory
- 88 UDP, OWA to Active Directory
- 88 TCP, OWA to Active Directory
- DNS
- 53 UDP, OWA to DNS
- 53 TCP, OWA to DNS
- RPC
- 135 TCP, OWA to Active Directory
- 1024+ TCP, OWA to Active Directory for RPC auth traffic, *or* l Fixed
TCP port, OWA to Active Directory
** This port is set on the DC/GC's to which OWA will authenticate ...
the reg key is HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\TCP/IP
Port, type DWORD, Decimal for the port number you want to use. I usually
use 9910 because there aren't any well-known services registered to this
port and no known Trojans/Viruses that utilize this port (yet)
- 6001 TCP, OWA to Exchange BE (RPC over HTTP/S traffic)
- 6002 TCP, OWA to Exchange BE (RPC over HTTP/S traffic)
While it's not the "best" configuration option from Microsoft's perspective
(they want to sell you ISA Server), I've used it at many clients
(particularly those that are mixed Windows/Unix shops) because most of my
clients don't want to install ISA into their network. For most people who
have an existing DMZ infrastructure, this is usually the route I take
because you can make Exchange fit this mold a hole lot easier than you can
try to introduce another network device into most organizations. While I
personally think ISA 2004 is a great product with a lot of flexibility, most
old-school firewall guys will laugh you out of their cubes if you mention
that you want to use a Microsoft product in a security role and you'll lose
your credibility. ;-)
As an aside, what is making you go with the Exchange 2003 Enterprise in the
back-end?
Aaron
"Stefano Rivoli" <9afd9fd2-1512655832@xxxxxxxxxxxxxx> wrote in message
news:1m2iiwx0ux7p1.1t175suaoq657.dlg@xxxxxxxxxxxxx
> I'm planning the deployment of the new messaging system in our company.
> The
> Exchange 2003 ENT will reside in LAN. Many users need to access their
> mailboxes using POP, IMAP and HTTP (OWA). In DMZ we have 2 W2K ADV (NLB).
> The best solution would be installing OWA on the W2K servers in DMZ and
> opening 2 ports needed for outside users to download mail via POP or IMAP.
> But installing OWA on a stand-alone server (which does not have Exch)
> seems
> to be impossible. So AFAIK the only solution is: install EXCH 2003
> Front-end on both W2K ADV servers in DMZ.
> The questions are:
> - Is it confirmed that OWA cannot be installed on a stand-alone server?
> - If installing front-end servers is the only solution, will I need 3
> server licenses (2 for each front-end + 1 for the back-end server)?
> - Considering this last configuration, may I install STD version of Exch
> on
> front-end and ENT on back-end?
>
> Thank you for any suggestions.
.
- Follow-Ups:
- Re: OWA in DMZ - HowTo
- From: Stefano Rivoli
- Re: OWA in DMZ - HowTo
- References:
- OWA in DMZ - HowTo
- From: Stefano Rivoli
- OWA in DMZ - HowTo
- Prev by Date: Re: pop3 connector
- Next by Date: Re: Multiple Storage Groups Re Post
- Previous by thread: Re: OWA in DMZ - HowTo
- Next by thread: Re: OWA in DMZ - HowTo
- Index(es):
Relevant Pages
|
Loading
